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With a rock-solid FreeBSD® base, Zettabyte File System support, and a powerful Web GUI, TrueNAS™ 


Pro pairs easy-to-manage software with world-class hardware for an unbeatable storage solution. 
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Storage. Speed. Stability. 


In order to achieve maximum performance, the TrueNAS™ 
Pro 2U and 4U Systems, equipped with the Intel® Xeon® 
Processor 5600 Series, support Fusion-io'’s Flash Memory 
cards and 10GbE Network Cards. Titan TrueNAS™ Pro 2U and 
4U Appliances are an excellent storage solution for video 
streaming, file hosting, virtualization, and more. Paired with 
optional JBOD expansion units, the TrueNAS™ Pro Systems 
offer excellent capacity at an affordable price. 


For more information on the TrueNAS™ 2U Pro and 
TrueNAS™ 4U Pro, or to request a quote, visit: 
http://www.iXsystems.com/TrueNAS. 
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1-855-GREP-4-IX | www.iXsystems.com 
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TrueNAS™ 2U PRO 
KEY FEATURES 


Supports One or Two Quad-Core or Six- 
Core, Intel® Xeon® Processor 5600 Series 
12 Hot-Swap Drive Bays - Up to 36TB of 
Data Storage Capacity” 

Periodic Snapshots Feature Allows You 
to Restore Data from a Previously 
Generated Snapshot 

Remote Replication Allows You to 

Copy a Snapshot to an Offsite Server, 
for Maximum Data Security 

Up to 4.48TB of Fusion-io Flash 
Memory 

2 x 1GbE Network Interface (Onboard) 
+ Up to 4 Additional 1GbE Ports or 
Single/Dual Port 1OGbE Network Cards 


TrueNAS™ 4U PRO 
KEY FEATURES 


Supports One or Two Quad-Core or Six- 
Core, Intel® Xeon® Processor 5600 Series 


24 or 36 Hot-Swap Drive Bays - Up to 
108TB of Data Storage Capacity* 


Periodic Snapshots Feature Allows You 
to Restore Data from a Previously 
Generated Snapshot 

Remote Replication Allows You to 
Copy a Snapshot to an Offsite Server, 
for Maximum Data Security 

Up to 14.08TB of Fusion-io Flash 
Memory 

2 x 1GbE Network Interface (Onboard) 
+ Up to 4 Additional 1GbE Ports or 
Single/Dual Port 1OGbE Network Cards 


JBOD expansion is available on the 
2U and 4U Pro Systems 


* 2.5” drive options available; please 
consult with your Account Manager 
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magazine: Protecting dynamic websitesiin FreeBSD. 
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: : ‘ Editor in Chief: 
We warm up with Darrel Levitch article about ade atone 


insalling and configuring DNSSEC for small networks Se Leu 


using Unbound. 
Contributing: 
Darrel Levitch, Kris Moore, Dru Lavigne, Justin C. Sherrill, 


Then we move on to the Developers Corner which is Stavros N. Shaeles, Sufyan bin Uzayr, Alexei Malinin, 
d Michael Bushkov, Svetoslav Chukov 

very PC-BSD oriented this month — with two articles 

written by. Kris Moore and Dru Lavigne. You will ape ee 

learn how to easily update your PC-BSD and how to allel Re 

backup it to FreeNAS with-LifePreserver. 

We also couldn't miss news from DragonflyBSD 

project — provided by Justin Sherrill. 


Special Thanks: 
Denise Ebery 


Art Director: 
lreneusz Pogroszewski 


How Tos first article is our cover story written by on. 


Stavros Shaeles — his tutorial will guide us step by Ireneusz Pogroszewski 

step and show how to install and configure various PT ere renee 
applications to successfully protect our dynamic Pawet Marciniak pawel@software.com.pl 
websites from various attacks. a 

It is followed by Sufyan bin Uzayr and his article mae 


ewa.dudzic@software.com.pl 


explaining how to tune and optimize MySQL 

databases for best performance, and Alexei Malinin area ie 
who describes his work with OpenBSD consoles for sees CLC nen 
AMD/Intel PC’s. Executive Ad Consultant: 


Ewa Dudzic 
ewa.dudzic@software.com.pl 


After that Michael Bushkov will show us some 
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' re : : worldwide publishing 
| hope you will find this issue to be both interesting race 
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Zbigniew Puchcinski informative purposes. All rights to trade marks presented in the 
Editor in Chief magazine are reserved by the companies which own them. 
zbigniew.puchcinski@software.com.pl The editors use automatic DTP system AWPU 
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Get Started 


OG DNSSEC resolution and IPv6 Unbound 
on FreeBSD 8.2 
Darrel Levitch 
Unbound runs on FreeBSD, OpenBSD, NetBSD, Linux, 
and Microsoft Windows. It provides a reasonably simple 
way to implement DNSSEC in a local-area network. With 
Unbound forward and reverse resolution is possible for 
small networks where IPv6 is implemented 


Developers Corner 
O08 08 Keeping up to date in PC-BSD 9 


Kris Moore 
Since the early days of PC-BSD, there has been various 
GUI mechanisms for performing critical system and 
security updates. 


10 Using Life Preserver to Backup a 
PC-BSD 9.0 System to FreeNAS™ 8.0.1 
Dru Lavigne 
This article demonstrates how to use the built-in 
Life Preserver program to backup a PC-BSD 9.0 
desktop system to a FreeNAS™ 8.0.1 NAS system. 
Users can refer to the Guides at hAttp://wiki.pcbsd.org/ 
index.php/PC-BSD_9 Handbookandhttp:/doc.freenas.org 
for instructions on how to install PC-BSD and FreeNAS™. 


1G Recovering data with hammer 

Justin C. Sherrill 
We've all experienced instant regret. That’s the feeling that 
comes within a second of executing a command like ,rm - 
rf * txt” (note the space) or of cutting the wrong cluster of 
wires at the end of a long conduit. Not that | am quoting 
from experience, or anything like that, no... 


How Tos 


48 Apache?2, phps, mysql5, modsecurity2.5 
installation and configuration in order to 
protect dynamic websites from various 
attacks, in Freebsd 8.2 
Stavros N. Shaeles 

In the last years there is a tremendous increment in 

dynamic website and cms using php. A very large piece 
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of the market of this websites are served by Apache 
Webserver using Mysql as database basically in Unix 
systems. Also this tremendous increment of php in 
dynamic website and opensource cms like joomla 
increase and hackers attacks in order to compromise a 
website or hack the server to use it in botnet. So someone 
can wonder, is there anything that can protect my 
websites except from backups and upgrading our system 
and software? The answer is yes. 


28 MySQL Unleashed! 

Sufyan bin Uzayr 
We explore some tips and tricks that you can use to gain 
better performance with MySQL 


3 4 Terminal Descriptions for OpenBSD 
AMD/Intel consoles 
Alexei Malinin 
In this article | would like to describe the results of my 
work of tuning OpenBSD consoles for AMD/Intel PCs. 
These results are also applicable to computers with the 
same hardware architecture (amd64 or i386, see http:// 
www.openbsd.org/plat.html): servers, — workstations, 
notebooks, etc. 


Tips and Tricks 


38 oe VideoLAN: 
earn what you can do with your video 
and audio using powerful VideoLAN 
command line interface 
Michael Bushkov 
Dealing with video and audio data is the part of our 
everyday life. Sometimes, though, we need to do things 
that fall into ,advanced” category. What tools should we 
use then? 


security 


4.3 NetBSD Intrusion Detection Server. How 
can we describe the functions of such a 
server? 

Svetoslav Chukov 

Sometimes special type of systems are needed to be 

running on the server. This server will serve different 

purposes, it will take care of the network security. 
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Unbound on FreeBSD 8.2 








Unbound runs on FreeBSD, OpenBSD, NetBSD, Linux, and 


Microsoft Windows. 


What you will learn... 
¢ how to install and configure DNSSEC for small networks 


implement DNSSEC in a local-area network. 
With Unbound forward and reverse resolution is 
possible for small networks where IPvé6 is implemented. 
You could modify this example installation against your 
network, and possibly have Unbound serving DNS on 
your network in a few hours. This example configures a 
authoritative, validating, recursive, and caching DNS server. 
Before installing the Unbound DNS validating resolver, 
it might be a good idea to have a recent version of 
OpenSSL from ports: 


nbound provides a reasonably simple way to 


# cd /usr/ports/security/openssl 


#* make install. ¢clean 


| enabled ris =exrracror and scrp for the case that it might 
be interesting to use them sometime in the future. 
Next, install the resolver: 


+ CO: 4 


# make install clean 


of««foane/ unbound 


Even though Paul Vixie might disagree- | did not want 
to have much limitation on outgoing ports, so | enabled 
Lipevent. | did not think of a reason to enable rxrzaps or 
cost. If you have Python programming, perhaps you will 
enable PYTHON. 
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What you should know... 
« basic FreeBSD concepts 
¢ basic DNS concepts 


Before modifying the congiration file, get a copy of 
root.hints: 


# wget ftp://FTP.INTERNIC.NET/domain/named.cache -O \ 


/usr/local/etc/unbound/ root.hints 


To use DNSSEC put a key file iN /usr/local/etc/unbound 
and name it root.key. The file will contain one line: 


. IN DS 19036 8 2 \ 
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE3 
2F24E8FB5 


You can check for a more recent version at: 


nito://data.lana.,org/root=—anchors/root=anchors .xm., 


# chown unbound /usr/local/etc/unbound/root.key 


Before moving on to the Unbound configuration file, 
make some changes to FreeBSD. Technical example 
addressing is used in this example, so if you do not 
already have private IPv6 addresses, then search and 
study unique local addressing. Add to /etc/rc.conf: 


ipve enable="YES” 


ipv6 ifconfig ethCard0="2001:0db8::xxxx:xxxx:XXXX!XXXxX/32” 


unbound enable="YES” 
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DNSSEC resolution and IPv6 





Listing 1. unbound.conf after modifications 


imvertace 192052 32 

interface: ::1 
ZOMG Ss Oe COas ex Os 
Oe ae 

ma TO 6 ais oe 


outgoing-interface: 
CULGOING- COVE permnr: 
do= We. Bile 

OD OG 0 2 Sealey 
200m abs s2/ 32 alllew 


access-Conierol: 
acceso aCome role 
FOOL-Mints = | /Us7/ local) ere) unsound coor. hines” 
hide-identity: yes 

hide-version: yes 

do-not-query-localhost: yes 

val-log-level: 2 

local-zone: "example.org." typetransparent 
local-=datass ogee xanp le Org. Ayo 0s 
hocall—datasprer. 1 E92. 0.2 1 nosul example, org” 
lecal=Catass “NostZ example Jorg 2092002 22" 
hocal-Carasprtr. 9702-7 anostZ. Cxamp le. ord | 
Vocal=davay. Mosine yoxampl er orga Ai Lo ers? 
localecataapers 192-0722 nosts- example: org’ 


Local—data: 


"host l.examplesorg? ARAA 2001: 0dbe: :xxxx?xxxx: XXxxi Xxx!” 


iGcal-dava= pers eZ 00d Udo: 


local-data: "host2.example 
li@caledata-puer ss UUM Odb3s 
local-data: "host3.example 


VEGCds 20s ¢ 








oCaiaiwaawicics 





sOrg AAAA 200i 0dbS 1 2xxxx 2 xXxKxxexxxx xxx” 


-org AAAA 2001! 0db8 12 xxxx2xxxx ! KXXXIxXXS" 


‘XxXXxX*¢xXxXXxXIKKXxX¢xxxXI host. example. org" 


RK XXX xx HOSE? example ong” 


ene Oe Xe eK Oo XX OSE wexample Ong” 








On the server change /etc/resolv.conf: 


For the hosts resolv.conf: 
2001+ 0dbs s xxx t MMMM SRE ERK 


From here, let us move on to the Unbound configuration 
file. The unbounais) configuration file can be found in 
/usr/local/etc/unbound. Copy unbound.conf.sample to 
unbound.conf. Before actually using the file, the utility 
unbound-checkconf(s) Can be run to check for errors; e.g., 

6 unbound-checkconf 
unbound-checkconf: 


no errors in /jusr/ local/etc/ unbound unbound. cont 
Next are the modifications to unbound.conf(5). Most of the 


default entries are left alone in this example. You could 
do some performance tweeking for your server. 
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Run unbound-checkconf 
Since we are using DNSSEC, run unbound-anchor (8) before 
starting the server: 


# unbound-anchor -a ,/usr/local/etc/unbound/root.key” 


Type unbound or restart the server. 

Now, if you have configured some of your applications 
using IPv6 then the hostnames will be available; e.g., if 
you run ntp.org then the standard NTP query program 
will return hostnames instead of IPv6 addresses, which is 
very handy if you are looking at a terminal window. :) 

% ntpq -p 


DARREL 

Darrel is still recovering from a car crash and found that writing 
this article is not nearly as depressing as supineness. Due to a 
thunderstorm that began shortly after that sentence- the main 
thing keeping this article moving now is his uninterruptable 
power supply. 
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PC-BSD 9 


Since the early days of PC-BSD, there has been various GUI 
mechanisms for performing critical system and security up 


PE3SD 





hile these tools were necessary, they were 
VV badly in need of an overhaul to provide 

traditional command-line functionality, along 
with mechanisms for performing a greater variety of 
update types. In the upcoming PC-BSD 9 the new 
pc-updatemanager Makes its debut, with many new features, 
pure command-line functionality and a streamlined GUI 
which makes desktop updating as painless as possible. 
First let us take a look at some of the functionality of this 
new tool from the command-line perspective. 

In PC-BSD 9, all upgrade functionality can now be 
performed via the console, using the commands freebsa- 
update, for system security advisories, and pc-updatemanager, 
for updates to packages, tools and major system versions. 
The former command, freebsd-update IS included within 
the FreeBSD base operating system, and can now be 
safely used to perform security updates to the underlying 
operating system kernel and world environment. PC- 
BSD has always shipped with a default FreeBSD world 
environment, but starting in 9 it will include the GENERIC 
kernel as well, allowing freebsd-update to manage the 
full spectrum of security updates. More information on 
the usage of this built-in command can be found in the 
FreeBSD handbook below: htto:/,www.freebsd.org/doc/ 
handbook/updating-freebsdupdate.html. 
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Keeping up to date 





The pc-updatemanager COMMand is unique to PC-BSD 9, 
and provides a few easy to use commands which can be 
used to check for, and install several different types of 
updates. To start checking for updates, the first command 
to run Is: 


# pc-updatemanager check 


This command will connect to the PC-BSD update server 
and fetch the latest digitally signed patch data for your 
specific version / architecture. If no updates are found, 
or your system is already updated then the command will 
exit with a message to that effect. If an update is found, 
then another message with details about the available 
update will be printed, as shown in the example below: 


# pc-updatemanager check 


The following updates are available: 
NAME: System Update to 9230-BETA2 
SYSUPDATE 

VERSION: 9. 0=3ae 

2011-035 

release-9.0-BETA2 


TYPES 


DATE: 
TAG: 


09/2011 


PC-BSD’s New Control Panel 



























://www.pcbsd.org 


e run ,pc-updatemanager install 


release-9.0-BETA2” 


/ a single update has been found, 
1e system (in this case one running 
TA2. The command to start the 
5 always printed at the end of the 
king it easy for the user to immediately 
fe process. Most updates are small 
san be downloaded and installed in only a 
without a reboot. Usually this will be simply 
ld updating a particular package, such as the 
NVIDIA driver, or some newer version of a PC- 
) utility with important bug fixes. In this example we 
will look at a more complex update of the entire operating 
system to a newer release. 

By starting the update in the example above, the 
pc-updatemanager Would first begin by analyzing the system 
configuration and determining which desktops / meta- 
pkgs are installed, such as KDE, GNOME, LXDE, NVIDIA 
drivers, etc. After building this list, the update manager 
will start downloading the newer packages for these 
components, along with a new FreeBSD world / kernel. 
Once all files are downloaded and checksums verified, 
the user will be prompted to reboot the system and begin 
the upgrade. After rebooting, the update manager will start 
by removing the users old system packages and installing 
the newer kernel / world environment. When done, the 
system will automatically reboot, and finish the update by 
installing the updated desktop / meta-pkgs. This process 
is entirely automated, and requires no interaction from 
the user, apart from rebooting the system to begin the 
update. This initial reboot is used to allow the user to finish 
working on their desktop, without the worry of a critical 
package being modified at a inconvenient moment. 


r Update Manager ter = eh 


Available Updates 





[ Select / Deselect All 


@ Rescan for Updates 


C) System Upgrade: 9.0-BETA2 (2011-09-10) 





install selected updates} 


Figure 1. Update GUI! for PC-BSD 9 
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While the pc-updatemanager IS Capable of handling a wide 
variety of update types, the configuration of it is relatively 
simple with only a few important options to take note of. 
Nearly all settings are stored in the main configuration 
file, /usr/local/etc/pebsd.conf. Some common settings are 
listed below, with a brief description of each. In addition, 
all of these settings may also be set via the GUls in the 
PC-BSD control panel, allowing users uncomfortable with 
the command-line to customize with only a few clicks. 


# Mirror for System Updates / Meta-Pkgs 
PCBSD MIRROR: ftp: //ftpe gem = amemgy pUD/Mirror 


# Proxy Server URL 
PCBSD PROXYURL: http://proxywexample.org 


# Proxy Server Port 


PCBSD PROXY POR Tae ms 


# Proxy Username 


PCBSD PROXYUSE Ria aame 


# Proxy Password 


PCBSD PROXYPASS: )examieuse 


At the moment the only settings normally adjusted 
are the ones shown above, such as changing the 
default mirror server, or adjusting the system to use a 
proxy server for connectivity. These can also be set 
in the System Manager and Network Manager GUI’s 
respectively. 

We've taken a look at the command-line functionality 
of the new pc-updatemanager, but for most desktop users a 
GUI solution is often the only viable one. In 9.0 the GUI 
tools have been slimmed down and streamlined into a 
single interface which can perform updates from both the 
pc-updatemanager and freebsd-update CLI backends. 

With both a fully command-line driven backend, and 
easy to use front-end PC-BSD has never been easier 
to keep up to date with the latest security patches and 
versions. Administrators also have a new degree of 
control, by being able to disable the GUI entirely via sudo, 
and perform updates via the command-line transparent to 
the desktop user. 


KRIS MOORE 

Kris Moore is the founder and lead developer of PC-BSD. He 
lives with his wife and four children in East Tennessee (USA), 
and enjoys building custom PC’s and gaming in his (limited) 
spare time. kris@pcbsd.org 
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Using Life Preserver 


to Backup a PC-BSD 9.0 System to FreeNAS™ 8.0. 
This article demonstrates how to use the built-in Life Presé 
program to backup a PC-BSD 9.0 desktop system to a Free 
NAS system. Users can refer to the Guides at http://wiki.pch 
index.php/PC-BSD_9 Handbook and http://doc.freenas.org ft 
instructions on how to install PC-BSD and FreeNAS™. 









































What you will learn... 
« how to create an automated backup solution 


to make it easy for a desktop user to back up their 
home directory to another computer or storage 
appliance using rsync and SSH. Once a full backup has 
been created, rsync will only send the files that have 
changed since the last backup to the backup device. The 


2 C-BSD provides a graphical Life Preserver utility 


backups 
A) ada0 (1.078) |<] 
<4 adal (1.0TB)} 


\4 ada2 (1 078) 
<A ada3 (1.0TB)} 
IFS 
Filesystem type : nt 


Force 4096 bytes sector size 
mirro| 
©) stripe 
Group type raid3 
RAID-Z 
RAID-Z2 


Add Volume | 
Existing data will be cleared Cancel 


Figure 1. Create a ZFS Volume+ 
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What you should know... 
¢ how to install PC-BSD and FreeNAS™ 


data is protected while being transferred over the network 
due to the encryption provided by SSH. 


Configure FreeNAS™ 

In order to prepare the FreeNAS™ system to store the 
backups created by Life Preserver, you will need to: 
create a dataset to store the user's backup, create a user 
account that has permission to access that dataset, and 
enable the SSH and rsync services. 


fe meh ANY 














Figure 2. Creating a Dataset from a ZFS Volume 
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PC-BSD’s New Control Panel 


Create ZFS Dataset 





Volume fram which this dataset 
will be created on: backups 
Dataset Name: dru 


Compression level: Inherit) 


« (fo) Inherit 
Enable atime: . On 
Off 


Quota for this dataset: | 2006| | 


Ouota for this dataset and all 
children: 


Reserved space for this dataset: 0 


Reserved space for this dataset 
and all children: 


| Add Dataset | { Cancel | 


3. Creating a ZFS Dataset 


Create a Dataset 

In ZFS terminology, a dataset is a portion of a ZFS 
volume. Datasets allow you to create a storage area for 
an individual user; datasets also allow you to configure 
compression and a storage quota on a per dataset basis. 
Users will only see the data on their own dataset and are 
restricted to the disk space that you configure for the 
dataset. 

Before you can create a dataset, you must first create a 
ZFS volume. In the FreeNAS™ 8.0.1 web administration 
interface, go to Storage->Volumes->Add Volume. As 
seen in Figure 1, the available (unformatted) disks will be 
listed. 

In this example, the FreeNAS™ system has four 1TB 
drives. If | select to create a ZFS stripe using all four 
drives, the resulting volume will have the maximum 
storage capacity (~3.6TB) but will not have any 
redundancy (if one drive fails, the entire volume fails). If | 
select to create a ZFS RAIDZ1, the resulting volume will 
provide redundancy (can survive the failure of one disk), 
but will have reduced storage capacity (~2.8 TB) due to 
the parity information. | have chosen to create a ZFS 





Figure 4. Creating a User Account 


www.bsdmag.org 


























Figure 5. Viewing a Dataset’s Permissions 


stripe named backups. Once the volume is created, it will 
appear in Storage-> Volumes->View all Volumes, as seen 
in Figure 2. 

Click the icon Create ZFS Dataset to see the screen 
shown in Figure 3. In this example, a dataset named dru 
was created with a disk quota of 200GB. If your network 
contains multiple PC-BSD desktops or if several users 
share the PC-BSD system, create a dataset for each user. 
You can make as many datasets as you wish, assuming 
that free disk space still exists on the ZFS volume. 

If you choose to use quotas, be sure to give the dataset 
sufficient space to store a full backup and the amount of 
incremental backups that you will schedule (e.g. a week’s 
or a month's worth of daily backups). 


Create a User 

Once you have created the dataset, create a user account 
to associate with each dataset. To create a user account, 
go to Account->Users->Add User. |In the example shown 
in Figure 4, a user account has been created for dru. 


IMPORTANT 

Change the Home Directory to the full pathname of the 

dataset for this user; in this example it is /mnt/backups/dru. 
lf you are configuring backups for several users, create 

a user account for each user, being sure to give each user 

their own dataset as their home directory. 


“— 
7 


, f yet 





Netwcet Active Directery 
crs 


@ sevice Dynamic ONS 


3.M.AR.T 


=) ssw 


PRR ERR RRR PP 


Figure 6. Enable the Rsync and SSH Services 
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* Remote Device 


Server information 


Host Name [192.168.2.7 
User Name [dru 
SSH Port [22 “2 


Note: The remote server should be running SSH and have rsync 






installed. 


< Back [net >] Cancel | 


Figure 7. /nput the IP Address and Username 








You can verify that the dataset’s permissions are correct by 
going to Storage->Volumes->View All Volumes and clicking 
the Change Permissions icon (third from the left). In the 
example shown in Figure 5, the user dru has permission 
to the dataset; this was automatically configured when the 
dataset path was selected as the user's home directory. 
Depending upon your needs, you may wish to remove the 
read permissions for group and other; note that this will not 
affect the superuser’s ability to read the files in the backup. 
Do not change the type of ACL (keep it at Unix). 


To enable the rsync and SSH services on FreeNAS™, go 
to Services->Control Services. Click the red OFF button 
next to Rsync. After a second or so, it will change to a blue 
ON , indicating that the service has been enabled. Repeat 
for the SSH service. 





Scheduled Backups 






@ |Disable automatic backups| 
Backup daily 
( Backup weekly 


< Back Next > Cancel 
Een Earl) 


Figure 8. Select the Backup Schedule 






























Te: 


Preparing to setup SSH key authorization... 
Hhen prompted, enter your password for dru@132,163,2,7 

The authenticity of host '192.168.2.7 (192.168.2.7)" can't be established, 
RSA key Fingerprint is ldtaataf:f4:12:75:21:7ctaatebibetactSc:88red:28, 
fre you sure you want to continue connecting (yes/no)? yes 

Warning: Permanently added '192,168.2.7' (RSA) to the list of known hosts, 
dru@192,169.2.7"s password: §j 











Figure 9. Testing the Connection to the FreeNAS™: 








In version 9.0 of PC-BSD, Life Preserver appear 
an icon in the system tray. It can also be launched from 
Control Panel->Life Preserver. 

The first time you run Life Preserver, the Life Preserver 
Wizard will launch, indicating that you need to know the 
IP address and username/password to connect to the 
backup device. Click the Get Started button, then Next to 
see the screen shown in Figure 7. Input the IP address of 
the FreeNAS™ system and the name of the user account 
that you created and associated with a dataset. 

Click Next and select how often you would like the 
backup to occur, as seen in Figure 8. The default is to 
not create an automatic backup, meaning that you will 
perform the backup manually as needed. You can choose 
to instead automatically backup your home directory once 
a day or once a week. 

After making your selection, click Next then Finish. The 
Wizard will display a message indicating that it will test the 
connection to the FreeNAS™ system. Click Finish again 
and input the word yes and then the user's password 
when prompted, as seen in Figure 9. 

Once the connection is successful, the preserver (the 
configuration for the backup) will appear in the preservers 
list, as seen in Figure 10, with the following information: 





File Presernvers 


Backup Server |tastBackup | Schedule | Status 
Tui] oS 16e. sf Success: Lvi2l O8-16-L1 a The er a ate 






LW? Edit 
Restore From 





Remove 











Figure 10. Daily Preserver with a Successful Backup 









Life-Preserver Settings 






Backup Options 


[7 J Number of backups to keep 
| | Remove incomplete or failed backup 






Editing inchide et 


| Add 









Scheduled Backups 

Disable aufomatic backups 
f Backup daily 
Backup weakby 































~ Note: Plaase use full path names, wihdcards such ae © 
ate Supported 


Dk | Ea Cancel | 






Remote Directory 






lsotope Edition 
reserver’s 


‘Include List 






=rver 
ndicate the user account and IP address of the 
ackup server. 













Last Backup 7 
Wil indicate whether or not the 
If you chose to automate k 
happen immediately. Othen 
until you press the Start b 
takes depends upon the s 
the speed of your network. | 


t backup was successful. 
ups, the first backup will 
backup will not occur 
ong the first backup 
Ir home directory and 
















Schedule | 
Will indicate disabled, daily, or wer 


Status 
Running indicates that the | 
otherwise will show as no 

If you right-click the p 
edit the settings, restore frot 
configuration. ; 


p iS occurring now, 


you can choose to 
backup, or remove the 


The following backups are available: 
Available Backups 





ees [eee ee = re? ee a =: 


back-2011-08-16T17_07_15 





Select Backup | 


Figure 12. List of Backups 
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BSD Certification 





The BSD Certification Group Inc. 
(BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 


& WHAT CERTIFICATIONS ARE AVAILABLE? 


BSDA: Entry-level certification suited for candidates 
with a general Unix background and at least six months of 
experience with BSD systems. 


BSDP: Advanced certification for senior system administrators 
with at least three years of experience on BSD systems. 
Successful BSDP candidates are able to demonstrate 

strong to expert skills in BSD Unix system administration. 


© WHERE CAN | GET CERTIFIED? 


We’re pleased to announce that after 7 months of 
negotiations and the work required to make the exam 
available in a computer based format, that the BSDA 
exam is now available at several hundred testing centers 
around the world. Paper based BSDA exams cost $75 USD. 
Computer based BSDA exams cost $150 USD. The price of 
the BSDP exams are yet to be determined. 


Payments are made through our registration website: 
https://register.bsdcertification.org//register/payment 


@ WHERE CAN | GET MORE INFORMATION? 


More information and links to our mailing lists, LinkedIn 
groups, and Facebook group are available at our website: 
http://www.bsdcertification.org 


Registration for upcoming exam events is available at our 
registration website: 
https://register.bsdcertification.org//register/get-a-bsdcg-id 





List the files/dirs you wish to restore below, use commas 
for multiple files. Files must begin with ‘/’. 


| | jusr/home/dru/Documents/ 


. Restore Relative to specified directory 


Relative Restore 


Restore | 


Figure 13. Choosing Which File or Directory to Restore 








Figure 11 shows the screen if you select Edit, as well as 
the screen if you also select Modify Include List. 

By default, Life Preserver makes a backup of the user’s 
home directory and stores the last 7 backups. If you wish 
to exclude files from your home directory or include files 
outside of your home directory, use the buttons to Modify 
Exclude List or Modify Include List. 


Restoring Files 

lf you choose the option Restore From, you will be 
presented with a list of the stored backups. In the example 
shown in Figure 12, the preserver is scheduled to backup 
daily and a backup exists for August 17 (back-2011-08- 
17709 11 08) and August 16 (back-2011-08-16717 07 15). If 
| highlight the backup for August 17 and click Select 
Backup, I'll see the screen in Figure 13. In this example, 
I've chosen to restore my Documents directory. 

When doing a restore, give the full path to the file or 
directory. The full path will always begin with /usr/nome/ 
sUSERNAME/ Where you replace susername with the name of 
your user. 
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Figure 14. Using Krusader to Browse Backups 
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Using a Graphical File Manage 
Backups 

Since Life Preserver uses SSH 
and restores, users can use S§ 
scp, and sftp to view and copy 
lf you prefer to use a graphica 
line utility, there are several opt 
upon which desktop you are 
may not have a graphical utility t 
you're not sure, Krusader2 is ave 
and provides a dual-pane file 
understands sftp. 

To access the FreeNAS™ system 
type sftp:/102.168.2.7 into the address b 
panes, replacing the IP address with the fo 
FreeNAS™ system. When the login promi apr 
input the username and password of your user. 

Figure 14 shows a listing of the stored backups in the 
life-preserver directory of the left pane and the user’s 
home directory on their PC-BSD system in the right pane. 
lf you expand either a backup or current (a shortcut to 
the latest backup), you can navigate to usr/nome/suszrR and 
view the contents of your user’s home directory. You can 
then highlight the files/directories that you wish to restore, 
right-click on the selection, click Copy, and the selection 
will be copied to the home directory on the PC-BSD 
system. 


Summary 

This article demonstrated how easy it is to backup a 
user's home directory to a FreeNAS™ system using PC- 
BSD’s built-in Life Preserver utility. It also demonstrated 
how to use the graphical Krusader utility to view backups 
and perform file and directory restores. 


DRU LAVIGNE 

Dru Lavigne is author of BSD Hacks, The Best of FreeBSD Basics, 
and The Definitive Guide to PC-BSD. As Director of Community 
Development for the PC-BSD Project, she leads the documentation 
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the community to discover their needs. She is the former Managing 
Editor of the Open Source Business Resource, a free monthly 
publication covering open source and the commercialization of 
open source assets. She is founder and current Chair of the BSD 
Certification Group Inc., a non-profit organization with a mission to 
create the standard for certifying BSD system administrators, and 
serves on the Board of the FreeBSD Foundation. 
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tecovering data wit 
lammer 


2ve all experienced instant regret. That’s the feeling that 
omes within a second of executing a command like,,rm - 

f* txt” (note the space), or of cutting the wrong cluster of 
ires at the end of a long conduit. Not that | am quoting from 
2xperience, or anything like that, no... 


mashed the keyboard, but eithe 
the file is still present — just wrol 
By default, the undo tool v vill 
the previous version of a file 
note about the timestamp fol 
last change, prefixed with >> 
Listing 1. 
Other options exist, like using 


Bammer, DragonFly’s default 
a | file system, can help with that. 
—@ Perhaps not with the cut wires, 
Jt with the loss of important files. 
lammer will Keep a record of the data 
anged every time a disk is synced, 
approximately every 30 seconds 
so file history is saved, under normal 
istances. iterate over 4 pr 


Hammer also support versions saver 
napshots, where disk, or wa 
2 State of an entire generate a diff 


system is saved for if you delete th 

» access later. Since It ll still work. 

s file history and snapshots only 

tains the changes to the data, it’s relatively sparse 

nd doesn’t eat much more storage space. 

These two aspects together mean that if you are going 
nake a mistake, doing it while on a Hammer-running 

ting system can make your life much easier. This 
icle contains some ,case studies” of the various ways 

lammer fixes what you did wrong. 





ple case: | scrambled a file 
The most simple case: you’ve scrambled a file. Maybe 
ou rewrote several lines and saved it, or accidentally 


16- =. 


Recovering data with hammer 


More complicated: A lost file 

This is all fine when you still have the known location of 
the file, but what if it’s a month later, and you need one file 
out of hundreds in a directory? Manually retrieving each 
file and searching it would either be a large amount of 
labor, or some time writing an appropriate shell script. 

This is where snapshots come in. Hammer volumes 
automatically take snapshots, and do so by default on a 
daily basis, storing up to 60 days of snapshots. 

Snapshots are stored in disk meta-data, so they can be 
listed using the hammer command. See Listing 2. 

Each one of those unique transaction IDs 
points to this system’s /var as it looked 
at that date in time. The directory /var/ 
hammer contains links to the history of 
each Hammer pseudo-filesystem. Listing 
3 shows example contents for the usr 
directory in that setup. 

Notice that the default name 
on each of the transaction 
links shows the date of the D 
snapshot, so _ getting an ragon 
initial snapshot list may not 
even be necessary, 

It's possible to cd into the appropriate directory and 
perform operations as if it was a normal directory. It’s 
read-only, of course, since it’s a historical snapshot. 





Listing 2. Snapshot meta-data listing 


# hammer snapls /var 
Snapshots on /var PFS #1 
Drancsackion, 1D Note 
0x00000001b40cbf10 


0x00000001b421£f010 


Timestamp 
PA OMS ore Zl Oke eile Oe KID UE 
ZS Ole 22 ane ONO: os, a) 


[listing trimmed to save paper] 
Ox00000001lbfelboal CMI Oese le ees a nIG eG) ED Incas 
0x00000001c028a210 2011-03-20 03: 01206 EDE 


Listing 3: Automatic snapshots 


# ls /var/hammer/usr 

snap-20110622-0301 -> /usr/@@0x00000001b422f0£f0 
snap-20110623-0301 -> /usr/@@0x00000001b4389140 
snap-20110624-0301 -> /usr/@@0x00000001b45050£0 
[again, 
snap-20110818-0303 -> /usr/@@0x00000001b£97cc30 
snap-20110819-0301 -> /usr/@@0x00000001bfe1b820 
snap-20110820-0301 -> /usr/@@0x00000001c028a310 


trimmed to save paper] 
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While this example shows automatic snapshots. 
possible to trigger snapshots at any arbitrary t { 
For example, it’s possible to perform before-and- 
comparisons when installing software, by takinc 
snapshot before installation and just after, and then t 
normal filesystem tools to compare the affected 
areas afterwards. 


Really, really catastrophic recovery 

lf your Hammer filesystem becomes corrupt, 

due to bad disk firmware, there is a ‘hammer 

command. This command looks for an\ 
that can be reconstructed based on \ 
data is left on the disk, and rebuilds tt 
Even if the metadata that outli 


system is corrupted, the data itself t 
be still physically present and identifiat 
It's even possible to take an ima 
Hammer volume and : 
on a virtual machine, and 
F=f 5 S [) ‘hammer recover’ there 
y rebuild data we ris 
further loss from physi 
disk activity, in a scen 
where the hardware is itself damaged and likel 
scramble itself further. 

Note that | didn’t say anything about a power outa 
Hammer is designed to survive sudden cuts of 
Anything's possible in a power surge or loss, of 
but one of the initial tests for Hammer was s 
intensive disk operations and then yanking power fi 
the running system, so some thought has been put 
preventing power issues. 


Conclusion 
With Hammer, you can see every version of your 
that’s ever committed to disk, limited only by the Han 
settings and the available disk space. There’s a lot n 
possible with Hammer. Snapshots can be streamed 
other Hammer volumes over the network, for ren 
backup. Snapshots can be kept independently on tt 
remote volumes, too... but that’s another article. 


JUSTIN C. SHERRILL 
Justin Sherrill has been publishing the DragonFly BSD Di 
since 2004, and is responsible for several other 
DragonFly that aren’t made out of code. He lives in the north 
United States and works over a thousand feet underground. 
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HOW TO’S 


Apache2, php5, mysqI5, modsecurity2.5 


5 installation and configuration in order to protect dynamic 
websites from various attacks, in Freebsd 8.2 


In the last years there is a tremendous increment in dynamic website and cms 
using php. A very large piece of the market of this websites are served by Apache 
Webserver using Mysql as database basically in Unix systems. Also this tremendous 
increment of php in dynamic website and opensource cms like joomla increase 
and hackers attacks in order to compromise a website or hack the server to use it 
in botnet. So someone can wonder, is there anything that can protect my websites 
except from backups and upgrading our system and software? The answer is yes. 


What you will learn... 

¢ Installing and configuring apache 2.2.x 

¢ Installing and configuring php5.3.x 

¢ Installing modules for php5 

¢ Installing and configuring Mysql5 

¢ Installing and configure mod_security 2.5 

- How to test your site for attacks like sql injection and Cross Site 
Scripting 


how to install apache2.2.X web server, php5.3.x and 

configure apache run php scripts in order to host 
dynamic website or CMS like Joomla in FreeBSD. | will 
also show the procedure to install mysql and phomyadmin 
in order to manage mysql database easily. Then we will 
secure apache web server from various attacks like XSS 
using modsecurity and finally we will install Joomla CMS 
and then trying some hacking on it to see if the web server 
is secured. First add 


n this article | am going to guide you step by step 


hostname="your.hostname.com” 


tO /etc/rc.conf. 


Update ports tree 
#portsnap fetch 


lf you run portsnap for first time 
then use 


#portsnap extract 


An then 


BSD 


MAGAZINE 


What you should know... 
¢ Installing Freebsd 8.2 

¢ Using vi or any Console editor 

¢ Basic unix command like mv, cp etc 
¢ Installing Joomla 1.7 CMS 

¢ Using phpmyadmin 


#portsnap update 


Else you can use portsnap update directly without first 
need to use command portsnap extract. 

Or you can USE pkg ada Utility but i prefer using ports 
and compiling my packages instead using precompile 
packages. 


Installing portaudit 
Portaudit is a very nice utility that check install ports or 


ports that are going to be installed if are vulnerable. 


#cd /usr/ports/ports-mgmt/portaudit 


#make instal clean 
Reload shell commands 


#rehash 





Figure 1. Choosing apache modules to be installed > this will go in installing apache above modules 
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Update portaudit db to get new vurnerabilities 


#portaudit -F 


Installing apache 
Go to port directory 


#cd /usr/port/www/apache22 


#make install clean 


In the menu tha appears we can disable modules or 
enable modules that we will need. In this setup we are 
going to use the webserver to server websites not svn 
so | disable modules like moa dav because of some 
vulnerabilities. We enable or disable features using 
spacebar and tab to go to OK button (Figure 1). 


About modules 


mod access — Provides access control based on client 
hostname, IP address, or other characteristics of the 
client request. 

mod actions — This module provides for executing CGI 
scripts based on media type or request method. 

mod alias — Provides for mapping different parts of 
the host filesystem in the document tree and for URL 
redirection 

mod asis — Sends files that contain their own HTTP 
headers 

mod auth — User authentication using text files 

mod auth anon — Allows anonymous user access to 
authenticated areas 

mod auth  dbm— Provides for user authentication using 


DBM files 
mod auth digest — User authentication using MD5 
Digest Authentication. 


mod auth ldap — Allows an LDAP directory to be used 
to store the database for HTTP Basic authentication. 
mod autoindex — Generates directory indexes, auto- 
matically, similar to the Unix Is command or the 
Win32 dir shell command 

mod cache — Content cache keyed to URIs. 

mod cern meta — CERN httpd metafile semantics 

mod cgi — Execution of CGI scripts 

mod _cgiad — Execution of CGI scripts using an external 
CGI daemon 

mod charset lite — Specify character set translation 
or recoding 

mod dav — Distributed Authoring and Versioning 
(WebDAV) functionality 

mod dav_ fs — filesystem provider for moa dav 
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mod deflate — Compress content before it is delivered 
to the client 

mod dir — Provides for trailing slash redirects and 
serving directory index files 

mod disk cache — Content cache storage manager 
keyed to URIs 

mod dumpio — Dumps all I/O to error log as desired. 
mod echo — A simple echo server to illustrate protocol 
modules 

mod env — Modifies the environment which is passed 
to CGI scripts and SSI pages 

mod example — Illustrates the Apache module API 

mod expires — Generation of Expires and Cache- 
Control HTTP headers according to user-specified 
criteria 

mod ext filter — Pass the response body through an 
external program before delivery to the client 

mod file cache — Caches a static list of files in 
memory 

mod headers — Customization of HTTP request and 
response headers 

mod imap — Server-side imagemap processing 

mod include — Server-parsed html documents (Server 
Side Includes) 

mod info — Provides a comprehensive overview of the 
server configuration 

mod isapi — ISAPI Extensions within Apache for 
Windows 

mod ldap — LDAP connection pooling and result 
caching services for use by other LDAP modules 

mod log config — Logging of the requests made to the 
server 

mod log forensic — Forensic Logging of the requests 
made to the server 

mod logio — Logging of input and output bytes per 


request 
mod mem cache — Content cache keyed to URIs 
mod_mime — Associates the requested filename’s 


extensions with the files behavior (handlers and 
filters) and content (mime-type, language, character 
set and encoding) 

mod mime magic — Determines the MIME type of a file 
by looking at a few bytes of its contents 

mod negotiation — Provides for content negotiation 

mod nw ssl — Enable SSL encryption for NetWare 

mod proxy — HT TP/1.1 proxy/gateway server 

mod proxy connect 

mod proxy extension forCONNECT request handling 
mod proxy _ ftp - FTP support module for mod _ proxy 
mod proxy http — HTTP support module for moa _ 





proxy 


BSD 


MAGAZINE 


al 


1 


a i i | | 


HOW TO’S 


ot 
al 


Found saved configuration for apache-2.2.19 


httpd-2.2.19.tar.bz?2 doesn’t seem to exist in “usr/ports/distfiles“apache?2?. 
Attempting to fetch http: //muw.apache.orgdist/httpd-httpd-2.2.19.tar. bz? e 
-tpd-2.2.19.tar. bz? 


Extracting for apache-?.2.19 
HAZ56 Checksum OR for apache??? /httpd-2.2.19.tar.bz2. 


apache-2.2.19 depends on file: “usr/local¢bin¢perl5.12.3 — found 





Figure 2. Apache Installation Procedure begins 


mod rewrite — Provides a rule-based rewriting engine 
to rewrite requested URLs on the fly 

mod_setenvif — Allows the setting of environment 
variables based on characteristics of the request 

mod so — Loading of executable code and modules 
into the server at start-up or restart time 

mod speling — Attempts to correct mistaken URLs that 
users might have entered by ignoring capitalization 
and by allowing up to one misspelling 

mod ssl — Strong cryptography using the Secure 
Sockets Layer (SSL) and Transport Layer Security 
(TLS) protocols 

mod_status — Provides information on server activity 
and performance 

mod suexec — Allows CGI scripts to run as a specified 
user and Group 

mod unique ia — Provides an environment variable 
with a unique identifier for each request 


Options for r4 1.4.16,1 


Ise libsigsegy for better diagnostics 





Figure 3. One of the many prompts you will get 





Compressing manual pages for apache-2 


Registering installation for apache-2 
-leaning for autoconf-?.686 

leaning fo libtool-?.4 
leaning fi expat-2.1 
leaning eile apr-ipvb5 
leaning ) pere-t 
-leaning Oo aipieeiie 
m4-1.4.16 


: he lp?2man } 


Pee ia 8 42 


leaning ae 
-leaning 44.4 
leaning 
conti 


Tore e elit eee wWrapper-Zb1 


TT OD) Pee ee ane | 
uke-1.11.1 
qdbeu-1.8.3 3 
db4?-4.2.52 5 
5-Locale gettext es be) 

i Ay ae 
wWrapper-76181119 
ae 


leaning fo Ue 
Eerie Peli! autom 
-leaning fo 


eel ie [0 


leaning fo 1 . , 
qettext—-u 
Teh te 


leaning for apache 


eerie ie eit ae 


leaning et 


Figure 4. Apache Installation Procedure Ends 
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License check disabled, port has not defined LICENSE 


1H4# of 519? 





° User-specific 


mod wuserdir = 


directories 
mod usertrack — Clickstream 
kB 645 kBps = = 
logging of user activity on a site 
* mod_ version _ Version 


dependent configuration 
* mod vhost alias — Provides for 
dynamically confi-gured mass virtual hosting 


More info for modules can be found in apache website 
http://httpd.apache.org/docs/2.0/mod/ 

Then click tab to go to OK Button and click enter to 
continue (Figure 2). In the next screens that will appear 
(Figure 3) accept default values and click ok to continue 
installation when the installation finish you will se the 
Figure 4. 

To make apache start at boot time edit /etc/rc.cont and 
add this line 


#echo ‘apache22 enable="YES”’ >> /etc/rc.conf 
starting apache 
#/usr/local/etc/rce.d/apache22 start 


Disable Directory indexing. Change 


Options Indexes FollowSymLinks 
To 


Options All -Indexes FollowSymLinks MultiViews 
To check if module mod_security iS loaded 


#apachectl -t -D DUMP MODULES 


Options for phps 5.3.6 1 


Build CLI version 

Be Build CGI version 

B:. Buiid FEM version (experimental) 

aos) ste Build Apache module 

et Use Apache 2.x filter interface (experimental) 
ESUG Enable debug 

Spi}: |e 8 BL Enable Sunhésifi Protection syaten 

Moco ss) Enable zend multibyte support 

Dif Enable ipvé support 

oe SR 


or 
ec 





Figure 5. Configuring php 
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You should see in the list 


unique id module (shared) 


security2 module (shared) 


Note 
If you get warning 

[warn] (2)No such file or directory: Failed to enable the 
httpready Accept Filter 

add the following line Into /boot/loader.conf: 


echo ‘accf http load="YES”’ >> /boot/loader.conf 
and restart system to load it. 
Installing php 


# cd /usr/ports/lang/php5 


# make config 
Check build apache module and click ok (Figure 5). 
# make install clean 
Check in /usr/local/etc/apache22 /httpd.conf If there is line 
LoadModule php5 module libexec/apache22/libphp5.so 
Also modify this line 
<IfModule dir module> 
DirectoryIndex index.html 
</IfModule> 


With this line 


<IfModule dir module> 
DirectoryIndex index.php index.htm index.html 


</IfModule> 





Options for phpS-extensions 1.5 
x 


rR 


Bo Ma Me 


pentl support (CLI only) 
PDFlib support (implies GD) 
PHP Data Objects Interface (PDO) 
PDO sqlite driver 
PostgreSQL database support 
POSIX-like functions 
pspell support 

readline support (CLI only) 
recode support 

session support 

shmop support 


Smears 
GE concen 
Figure 6. Choosing php extentions 
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And also add this line inside nttpa.cont 


<IfModule php5S module> 

AddType application/x-httpd-php .php 
AddType application/x-httpd-php-source .phps 
</IfModule> 


Create php.ini config 


#mv /usr/local/etc /php.ini-production /usr/local/etc / 
phip.ani 


Now we will install php extention need for some cms like 
joomla 


#cd /usr/ports/lang/php5-extensions 


#make config 


In the screen appears we choose except the defaults 
values also bz2, curl, exif, ftp, mysql, odf, pdf, session, 
gd, mcrypt, zip, zlib (Figure 6). Click ok. 

Then start installation 


#make install clean 


And then click ok to continue installation. After installation 
finish restart apache 
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02:24:46 UTC 2011 root@almeids.cse.buffalo.edujusriobjusrisre’sys/GENERIC i386 
Configure ‘Jeonfigure’ '--with-layout=GNU' * *~with-config-file-scan- 
Girs/ustocal/etc/php' --disable-alf ‘ 
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Options for mysql-server 3.5.14 


Replace mutexes with spinlocks 








Figure 8. Configuring mysql Server 


#/usr/local/etc/rc.d/apache22 restart 


Create a test page to see if php is working. The best is 
USING phpinfo () function 


#mv /usr/local/www/apache22/data/index.html /usr/local 
/www/apache22/data/itworks.html 


#echo ,<? phpinfo(); ?>” >> /usr/local/www/apache22/data/ 


index.php 
And test your website in web browser 
http://your domain name or your ip/ 
you should see a page like this see Figure /. 
Installing mysql 


#cd /usr/ports/databases/mysgql55-server 


#make install clean 


In the screen appears below keep default config and 
click ok (Figure 8). 
Enable mysq] server start at booting 


#echo ‘mysql enable="YES”’ >> /etc/rc.conf 
Start mysql server 
#/usr/local/etc/rc.d/mysgl-server start 


Because mysql server by default is listening in all ip 
interface this is not secure. We want mysql server listen 
only on localhost because we are going to use the server 
for websites. So we need to add also in rc.cont bind- 
address. The command is 


#echo ‘mysql args=”--bind-address=127.0.0.1"" >> /etc/ 


ro, cont 
And the we restart mysql to get the new settings 
#/usr/local/etc/rc.d/mysgl-server restart 


lf you want to manage mysql server instead of the 
command line you can install phpmyadmin. Is a nice web 
frontend that you can easily manage your databases. 
Installation procedure is as follow Listing 1. 
For security reasons we rename the default name of 
phpmyadmin folder and we add a random string like in the 
end like 5485 


#mv phpMyAdmin-3.4.3.2-all-languages/ phpmyadmin 54td85 
Now cd to directory 


#cd /usr/local/www/apache22/data/phpmyadmin 54td85 


#mv config.sample.inc.php config.inc.php 
open config.inc.php 
#Vi. ‘Config ine “php 


And find line 








Figure 10. Nestat showing that mysq] is listen to localhost and is more secure 
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Listing 1. Download and untar phpmyadmin, Mysql web frontend 


#cd /usr/local/www/apache22/data/ 


languages.tar.gZ 





#wget http://sourceforge.net/projects/phpmyadmin/files%2FphpMyAdmin%2F3.4.3.2%2FphpMyAdmin-3.4.3.2-all- 


#tar -zxvf filest2FphpMyAdmin22F3.4.3.2%2FphpMyAdmin-3.4.3.2-all-languages.tar.gz && rm -rf files%2FphpMyAdmin%2F3.4.3 
oA Ep OMyAGmin-3.4.5.7 el l-languages tar igZ 











phpMyAdmin 
Welcome to phpMyAdmin 


Language 


English | 


Log in » 
Username: 


Password: 











Figure 11. Phopmyadmin web frontend 








Hm & 


{ ) Moo-) Build ModSecuri 


Figure 12. Configure mod security screen before installation 





Scfg[ ‘Servers’ ] [$i] [‘AllowNoPassword’] = false; 
And replace it with 
Scfg[ ‘Servers’ ] [$i] [‘AllowNoPassword’] = true; 


lf the procedure is correct when you go to your browser 
and type the url 


http://your domain name or your ip/phpmyadmin 54td85 


you will see a picture like the one Figure 11. 

If you see this page login to the system as root 
without password and then go to privileges and change 
all users password using Edit Privileges Password. You 
can use the same password for user root. But don't 
use the same password for other users you will create 
here. 


Note 
To increase security to this folder you can use apache 
htaccess to allow certain ips to access this folder. 


Installing modsecurity 
First we install LUA 


#cd /usr/ports/lang/lua 


#make install clean 
and then mod security 


#cd /usr/ports/www/mod_ security 


#make install clean 





Figure 13. Mod security installation finish 
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Figure 14. Apache httpd.conf with line for enable mod security 
check Embedded Lua language support and click ok 
(Figure 12). Process start (Figure 13). 

When installation finish we have to enable module 
unique id (if is not already enabled) in apache config and 
then mod security 


#cd /usr/local/etc/apache22 
#vi httpd.conf 


Below line 


LoadModule unique id module libexec/apache22 


/mod_ unique _id.so 
we add 


LoadFile /usr/local/lib/libxml2.so 
LoadFile /usr/local/lib/liblua-5.1.so0 
LoadModule security2 module libexec/apache22 


/mod_security2.so 
Restart apache 


#/usr/local/etc/rc.d/apache22 restart 


Configure modsecurity 
Change line 


<IfModule security2 module> 
Include etc/apache22/Includes/mod_ security2/*.conf 


</IfModule> 


To 


<IfModule security2 module> 
Include etc/apache22/Includes/mod_ security2/*.conf 
Include etc/apache22/Includes/mod_security2 
/pase rules/*.conf 
Include etc/apache22/Includes/mod_ security2/asl1/*.conf 
</IfModule> 


Now modsecurity config and rules files are in /usr/1ocal/ 


etc/apache22/Includées/mod security? 
#cd /usr/local/etc/apache22/Includes/mod_security2 


Create a file name modsecurity _ Crs 10. coniigseont 
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Listing 2. Modifying modsecurity_crs_10_config.conf to make 
mod security function 


SecComponentSignature "core ruleset/2.0.10" 


SecRuleEngine On 


SecAuditEngine On 


SecAuditEngine RelevantOnly 
#SecAuditLogRelevantStatus "*(?:5|4(?!04))" 
#SecAuditLogType Serial 

SecAuditLog /var/log/modsecurity audit.log 


SecDebugLogLevel 4 
SecDebugLog /var/log/modsecurity debug.log 


SecReguestBodyAccess On 

SecResponseBodyAccess On 

SecResponseBodyMimeType (null) text/html text/plain 
text/xml 

SecResponseBodyLimit 524288 


# Server masking is optional 


SecServersigqnature "Microsort—1is/0, 0" 


SecDataDir /tmp 


# Configures the directory where temporary files will be 
created. 


SecTmpDir /tmp 


# TODO Change the temporary folder setting to a path 
where only 

# the web server has access. 

# 

SecUploadDir /tmp 


# Whether or not to keep the stored files. 

# 

# In most cases you don't want to keep the uploaded 
files (especially 

# when there is a lot of them). It may be useful to 
change the setting 

# to "RelevantOnly", in which case the files uploaded 
aes Ss Osos OS 

# requests will be stored. 

# 

SecUploadKeepFiles Off 


SecDefaultAction "phase:2,deny,status:501,log" 
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#touch modsecurity crs 10 config.conf 


now we have to edit this file. Open it with your favourite 
editor e.x vi or pico 


#vi modsecurity crs 10 config.conf 


and add the lines (Listing 2). If you don’t have wget install it 
from ports because we will need it to download tar.gz files 


#cd /usr/ports/ftp/wget 


#make install clean 
Download ASL rules (Listing 3) or just create a simulink 


#cd /etc 
#1n -s /usr/local/etc/apache22/Includes/mod_security2/asl/ asl 


We also zero domain-spam-whitelist.conf file because of 
an error in modsecurity 
# cat /dev/null > /usr/local/etc/apache22/Includes 


/mod_security2/ domain-spam-whitelist.conf 





Tam SAMPLE SITES 





Joomial 


Tine ete Abie 


About Joomla! 
Getting Started 
Using Jonenlat 
Tha Jase! Prepect 


The Jocela! Comrmurnl-; 


This Site 
Home 
Ste Map 
Logue 
Sample Sebhes 
Sate Atieaantrator 


Example Pages 





J0WLALORG. 





Joomla! 
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tevtpie to ope eed rue 
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Upgraders 


you are an axpenenced Joomla! 
15 uae, the Jeccila! ate vill Gee 
very fateh Thaee are care 
templates aed ompenved user 
interfaces, bul most fancionalty oo 
the game The Gapped! changes are 
imencend acceda contre! (ACL) acd 
nested calegones. This rease of 
Joomla! has. etrosg continuty wath 
deoria! 1.6 while peicing 


Professionals 
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Figure 15. Joomla 1.7 CMS Frontend 


Now lets configure some false positive entries of 
modsecurity to make our server functionable (see Listing 


4). 


Restart apache to take configurations 


#/usr/local/etc/rc.d/apache22 restart 





Listing 3. Downloading and Installing atomicorp mod security rules 


#wget 


Now we modify asl rules to find our path: 


#cd /usr/local/etc/apache22/Includes/mod_ security2/asl 


Listing 4. Configuring mod security exclusions 


Fed Uist 1O0Cal/ ere apacier 77 ImeImees/ mod sSecur ity 7/ act 
#cat > 99 asl exciude.conf << EOF 

<Directory /usr/local/www/apache22/data/> 
SecRuleRemoveByID 960032 

SecRuleRemoveByID 960034 

SecRuleRemoveByID 960010 


</Directory> 


<Location /phpmyadmin_5485> 
SecRuleRemoveByID 950001 
SecRuleRemoveByID 959013 
SecRuleRemoveByID 959009 
SecRuleRemoveByID 959904 

<7 hoear von 


KOF 





http://updates.atomicorp.com/channels/rules/delayed/modsec-2.5-free-latest.tar.gz 


7] Cn) OCS OCs 5 = shoe e aeecumealnnG imi Odsec, @/ lem NOeai/ Cee apacie7/ MieliGec/ TOG BceCtm Ey 7 acd 


jG Oo eaWalic we CON Mle aaiiomocd mars cu 15/7 CCe aol Nom) lea Cue apace 74 inelides | modpccoumlny asi oe 
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Listing 5. Download and untar Joomal 1.7 CMS 


#cd /usr/local/www/apache22/data 


Peal s-2\Vie WJOCm aml. 10 -oeableo—ti Package wear 1072 





#wget http://joomlacode.org/gf/download/frsrelease/15278/66554/Joomla 1.7.0-Stable-Full Package.tar.gz 


Listing 6. Testing mod security in Joomla 1.7 CMS using an sql injection 


http://your domain name or your ip/index.php?action=&type=viewés=&id=-1'S20union%20select%200, concat (char (85),char(1 
IS, ciar ClO char (lia) char (hii char (97) schacth0o) char (h0) echar(s$)) name, char (37)7 char (245 
Cha (74 ehiar (37) claw einen (OM jr elreta (iis Cleat (hit) ) Clret (NINO y ehiai (iM erent (Ia ee clade (LOU) 
polar 53) Pace, 0; 0, U0, 0 20 neon «20 pipdesit admin) = 








Note 

In order to make your websites function correctly you have 
to monitor log files for false positive alerts and disable or 
fix this alerts. You can monitor alerts with command 


# tail -f£ /var/log/modsecurity audit.log | grep id 


Also if your hardware is old is good to delete some rules 
or your apache web server will be slow. Example you 
can delete this files from /usr/local/etc/apache22/Includes/ 


mod security2/asl directory 10 asl _antimalware.conft 


10 asl antimalware output.conf 
ll asl date loss .cont 

20 asl useragents.conf 

30 asl antimalware.conf 


30 asl antispam.conf 





30. asl antispam referrer.cont 





Method Not Implemented 


GET to ‘index.php not supported. 











Figure 16. Error message after sql injection 


or whatever you think is not necessary for your website 
protection. 


Testing 

Now lets test modsecurity if it is working. In order to test 
it in real website | am going to install joomla 1.7, a very 
popular opensource CMS. Installing Joomla CMS (Listing 
5). Open web browser and type 


http://your domain name or your ip/ 


it should open joomla installation follow on screen 
procedure and finish joomla installation if the dir is 
not writable by apache in the end it will not create 
configuration.php file. To do it manually 


#touch /usr/local/www/apache22/data/configuration.php 
#vi /usr/local/www/apache22/data/configuration.php 


copy from web browser the configuration file and add 


them to configuration.php also click the remove installation 
folder. If it not succeded remove from command line 


#rm -—rf /usr/local/www/apache22/data/installation 





Figure 17. mod serurity audit log entry after the sql injection 
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File Edit View Bookmarks Settinc 

OWASP Joomla! Vulnerability Scanner v0,0.3-b 

(c) Aung Khant, aungkhant]at[yehg.net 

YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab 


Vulnerability Entries: 466 
Last update; August 18, 2009 


BITS | ae Fe) 
se "chec 


I 


ami 


te" option to update the database 
"option to check 


version package 


JUd le he) Or 
8 can.svn, sourceforge.net svnroot jyoomscan joomscan 


Target; http: //192.168.10.104/index.php 


[x] Unable to process any more. I get - SOL Method Not Implemented 


[*] Time Taken: 1 min and 10 sec 
[*] Send bugs, suggestions, contributions to joomscan@yehg.net 


Figure 18. Backtrack joomscan penetration testing utility 
lf everything is working you will see the picture below if 
you open your web browser and type 


http://your domain name or your ip/ 
Open web browser and type 


http://your domain name or your ip/index.php? login.php 


?username=admin’ ; DROPS20TABLES20users— 


a d V e r i 





IAESTE 


S lowe lk i 4 





HOW 
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or another exploit you can test is Listing 6. 

lf everything is working you will see (Figure 16). And in 
log file you will see the deny rule (Figure 17). 

Also if you try scanning the server for security 
vulnerabilities using joomscan (can be downloaded 
from here http:/sourceforge.net/projectsjoomscan/ or 
inside the backtrack dvd) it will return error that it can not 
process website (Figure 18). 
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MySQL Unleashed! 


We explore some tips and tricks that you can use to gain 


better performance with MySQL 


What you will learn... 
- How to fine tune and optimize MySQL databases for best 
performance. 


our database table seems to be well-indexed and 
Vero yet a simple query on it takes ages 
to complete. Or may be web apps look good in 
the dev environment, but become equally bad in the 
production environment. 
lf you are a database admin, chances are that you have 
already encountered above situations at some stage or 
the other. Therefore, in this article, we shall be looking at 
debugging, myth-busting and handling certain common 
(and uncommon) MySQL issues. In this first part, we 
begin with certain simple and easily implementable tips 
and tricks. 


Storage Engine Woes 

lf your table uses transactions, you should consider using 
InnoDB as it comes with full ACID compliance. However, 
if you do not require transactions, it would be wiser to stick 
to MylSAM, the default storage engine. 

Also, do not try to sail on two boats, er...sorry, storage 
engines. Consider this: in a transaction, some tables use 
InnoDB while the rest are on MyISAM. The outcome? 
The entire subject will be nullified, with only the ones in 
the transaction being brought back to original state, the 
rest dumped with committed data. Needless to say, this 
will lead to inconsistency across the database. However, 
there exists a simple way to enjoy both the flavours! 
Most MySQL distributions nowadays include InnoDB, 


BSD 


MAGAZINE 


28 | 


What you should know... 
¢ Working with MySQL, database administration. 


compiled and linked! But if you opt for MyISAM, you can 
still download InnoDB separately, and use it as a plugin! 
Simple, eh? 


Counting Issues 

lf your table employs a storage engine that supports 
transactions (such as InnoDB), you shouldn't use count (*) 
to find out the total number of rows in the table. The 
reason being that using counr(*) On a production class 
database will at the very most return an approximate 
value, as at any given time, some transactions will be 
running. Such incorrect result from count (*) will obviously 
generate bugs if put to use. 

The default storage engine for MySQL is MylISAM, 
which does not support transactions. However, engines 
such as InnoDB are favored over MylSAM as the latter 
has a (notorious) distinction of not being the best fault 
tolerant storage engine. This, in fact, beats the myth 
that MySQL is faster than PostgreSQL. count *) returns 
the results quickly in MySQL only when operating 
under MylSAM. If the storage engine is changed to 
InnoDB, counr(*) takes the same amount of time as 
PostgreSQL. 


Test, Test, Test 


The major headache with queries is not the fact that 
no matter how careful one is, something or the other is 
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bound to be left out and cause a bug later on. Rather, the 
problem is the timing at which the bug surfaces, which 
in most cases is after the application/database has gone 
live. There really exists no sure-shot strategy to counter 
it, except for the test samples that you must run on your 
application/database. Any database query cannot be 
approved unless it is subjected to chunks of thousands of 
record samples. 


Countering Table Scans 

More often than not, if MySQL (or any relational database 
model) has to search or scan for any particular record in 
a table, a full table scan is used. Again, more often than 
not, the easiest cure here is to use index tables to solve 
the problem as full table scans result in poor performance. 
However, as we shall see in subsequent issues, this does 
not come without its share of fallacies. 


Using Explain 
EXPLAIN is an excellent command when it comes to 
debugging, so let us explore it in depth. 

First, let us create a sample table: 


CREATE TABLE ‘awesome bsd’ ( 
‘emp id’ INT(10) NOT NULL 

DEFAULT ‘0’ , 
‘full na me’ VARCHAR(100) NOT NULL , 
‘email id’ VARCHAR(100) NOT NULL , 
‘password’ VARCHAR(50) NOT NULL , 
‘deleted’ TINYINT(4) NOT NULL , 
PRIMARY KEY (‘emp id’) 

) 

COLLATE = “ULre General ox’! 

ENGINE = InnoDB 

ROW FORMAT = DEFAULT 


The table is self-explanatory, with five columns, the last 
‘deleted’ being a Boolean flag to check if an account is 
active or has been deleted. Next, you may populate this 
table with sample records (say, 100 employee records). 
As you can see, the Primary Key lies On ‘emp — ia? 

So, using the email address and password fields, we 
can easily create a query to validate or deny a login 
attempt, as follows: 


SELECT COUNT (*) FROM awesome bsd WHERE 

email id = ‘blahblah’ AND password = ‘blahblah’ 

AND deleted = 0 

Oops! I’ve already told you to avoid using counr(*). Let 


me rectify: 
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SELECT emp id FROM awesome bsd WHERE 
email id = ‘blahblah’ AND password = ‘blahblah’ 
AND deleted = 0 


Now, let us introspect. In the first instance, we queried 
to locate and return the number of rows where email id 
and password were equal to the given values. In the 
second case, we did the same but instead decided to 
ask the value of emp _ ia for all the rows that satisfied the 
given criterion. What'd you say? Which query is the more 
expensive? 

Apparently, both of them are equally expensive 
database killing queries because unintentionally, we are 
querying for a full table scan in each case. To understand 
better, execute this: 


EXPLAIN SELECT emp id FROM awesome bsd WHERE 
email id = ‘blahblah’ AND password = ‘blahblah’ 
AND deleted = 0 


In the output, concentrate on the second-last column, 
rows. ASSuming that we had populated the table with 
100 records, it will show 100 in the first row, which is the 
number of rows that MySQL needs to scan in order to 
evaluate the result of this query. What does this show? 
Yes, a full table scan (read: memory hog). 

To overcome this evil, we need to add indexes. 


Indexes 

First things first: its a bad idea to create indexes to every 
second problem that you might encounter. Excessive 
indexing leads to slower performances and resource hog. 
Before going any further, let us create a sample index on 
Our example: 


ALTER TABLE ‘awesome bsd’ ADD 
INDEX ‘LoginValidate’ (‘email id’) 


Next, run the query again: 


EXPLAIN SELECT emp id FROM awesome bsd WHERE 
email id = ‘blahblah’ AND password = ‘blahblah’ 
AND deleted = 0 


Now notice the value. Instead of 100, it should now say 1. 
Thus, MySQL is now scanning only 1 row in order to give 
you the output of this query, thanks to the earlier created 
index. You might notice, the index created is only for the 
email address field while the query searches for other 
fields too. This shows that MySQL first performs a cros- 
check to see if any of the values specified in the WHERE 
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clause has indexes defined for it, and if so, performs 
accordingly. However, it isnt that every iteration will 
be reduced to one. If, for instance, the indexed field is 
not unique (such as employee names, which can have 
identical values in two rows), there will be multiple 
records left even after indexing. Yet, it will still be better 
off than full table scan. 

Also, the order of columns specified in the WHERE 
clause does not play a role in the process. If, for instance, 
in the above query, you reverse the order of fields such 
that email address comes last, MySQL will still iterate on 
the basis of the indexed column. 

Now, with indexing at your finger tips, you've noticed 
how to avoid numerous full table scans and gain better 
results. Lets proceed further. 


Full Table Scans Can Strike Back, Too 

First up, coming to common MySQL errors or issues that 
are often ignored. Lets create a table along the lines of the 
following sample (this sample table has few flaws in it, as 
we shall see later on): 


CREATE TABLE ‘awesome table’ ( 
‘awe a’ INT(10) NOT NULL AUTO INCREMENT, 
awe date’ DATE NOT NULL, 
PRIMARY KEY (‘awe a’), 
INDEX ‘awe date’ 
) 


(‘awe date’ ) 


Additionally, you may _ suffix the following to the 
above table too (it depends on the environment you 
have at your disposal, though the following code is a 
recommended addition, if possible): 


COLLATE = “utre general oi’ 
ROW FORMAT = DEFAULT 


Populate the table with some sample records (say, 10 
records). The Primary Key lies with the awe a column, 
while the awe date Column is indexed as well. So, simply 
because indexing is on for awe date column, we can 
assume that any queries done on the column will not run 
unoptimised, right? Apparently, not! Run the following 
sample query: 


EXPLAIN SELECT * FROM awesome table 
WHERE awe date < ‘1980’ 


What did you get? Correct! It runs a full table scan, 


yet again, in spite of the index placed on the awe date 
column. Now, let us modify the above query slightly: 


BSD 


MAGAZINE 


30 


EXPLAIN SELECT * FROM awesome table 
WHERE awe date < *19860’=01-02" 


What did you see now? It no longer performs a full 
table scan, but instead, shows the scan type aS range 
rather than index. The outcome? Faster processing! 
As you must have noticed, in the first query, ‘1980’ is 
an ambiguous parameter but in the second query the 
entire date eliminates the possibility of a scan type such 
aS ALL. 

Another common scenario wherein an otherwise-not- 
required full table scan is called upon is one comprising 
of UCASE and LCASE. More often than not, applications 
perform case-insensitive searches. For example: 


EXPLAIN SELECT * FROM table-name 
WHERE UCASE (column-name) = ‘THIS IS SO WONDERFUL’ ; 

In such searches, MySQL will ignore the indexes, 
convert the values held by the specified column in each 
row to ucasz and then perform the search for the given 
sample text. The easiest way out of such a situation 
is to store either ucasz or tcasz values (the requisite 
case conversion should ideally be performed when the 
record is inserted in the table). Following that, the case 
of the value under consideration can be automatically 
compared, as shown in the query below: 


EXPLAIN SELECT * FROM table-name 
WHERE column-name = UCASE (‘this is so wonderful’) ; 

This shall compel MySQL to convert the given value into 
ucase In order to match a rule that allows for storage of 
only ucasz values in the given column. 


The Myisam Storage Engine - a Closer Look 
As we covered earlier, MylISAM is MySQL’s default 
storage engine. Now we shall take a closer look at it. 

MylISAM by default stores a table in two files (one for 
the data, the other for indexes). For the data file, the 
extension is .MYD while for the index file, the extension 
is .MYI. You can also use the DATA DIRECTORY and 
INDEX DIRECTORY options along with the CREATE 
TABLE command to specify the location of each 
file of the given table. Since these files are platform 
independent, most databases support specifying of the 
directories. 

Also, all readers having SELECT associated with 
queries need to obtain read locks and multiple users 
can do the same by means of shared locks. However, 
on the contrary, all writers need to have exclusive locks. 
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Thus, while two users can acquire read locks (SELECT) 
at the same time, they cannot perform write operations 
(INSERT, UPDATE or DELETE, etc.) simultaneously. 
This is the precise reason why indexing is crucial and 
needless to say, if you fail to handle your indexes well, 
write operations will become slow and time consuming 
resulting in heavy load on the system. 

MyISAM supports Full Text Index (also known as Full 
Text Search) but doesn’t yet support transactions. Table 
locks are a possibility, but row locks are not. Further more, 
MylISAM supports compressed tables too (read only). 
However, it must be noted that only individual rows are 
compressed and not the entire table as a whole. 

MyISAM also has the advantage of specifying NULL 
values even in indexed fields, as well as providing a different 
character set for each CHAR or VARCHAR column type. 


MyISAM and B-TREE - Spicing Up Your Indexes! 
In a MyISAM powered table, the type of each index is B- 
tree. So before going any further, let us analyze what a 
B-tree is, and to do so, we shall turn to Wikipedia (http:// 
en.wikipedia.org/wiki/B-tree): 

“.. @ B-tree is a tree data structure that keeps data sorted 
and allows searches, sequential access, insertions, and 
deletions in logarithmic amortized time. The B-tree is a 
generalization of a binary search tree in that a node can 
have more than two children. ...Unlike self-balancing binary 
search trees, the B-tree is optimized for systems that read and 
write large blocks of data. It is commonly used in databases 
and filesystems.” 


With the introduction out of the way, we now turn our 
attention once again to MyISAM and B-tree, with special 
focus on indexes. First, we can briefly sum up the 
theoretical aspect of the issue. 

It can be said that the B-tree index has a root node on the 
top (since it is a tree, it has to have a root). In B-tree, any 
node that doesn’t have a child attached to it is called a leaf 
node. Therefore, the root node is a non-leaf node while all 
the nodes that spring from it are called leaf nodes. The links 
between a node and its immediate children can be shown as 
pointers. Do not confuse the pointers to be C/C++ pointers. 

Going below the leaf nodes (ones without children nodes), 
you'll find the actual table data. The data is linked to the leaf 
nodes on the basis of key values. Thus, it becomes quite 
obvious that effective and speedy searches depend on how 
the key values associate the data to the leaf nodes, or, in 
simple terms, how effectively a table is indexed. 

At this junction, we can also tear apart the myth that 
MylISAM supports clustered indexes. Truth is, MyISAM 
does not store data in a sorted fashion, whereas for a 
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clustered index to work, data must be sorted. MylISAM, 
on the other hand, stores data as and when it is inserted 
into the table. It does sort the indexes, but as we have 
already covered, indexes are stored in a separate file 
(.MYI) than data itself (.MYD). MyISAM uses indexes 
to point to the exact location of unsorted data and as 
a result, removes the need of data storage in a sorted 
manner. Bottom line is that clustered indexes are not 
possible on MylSAM. 

The most obvious benefit of employing a B-tree is that it 
considerably improves the search functionality (SELECT 
queries). However, on the down side, queries such as 
INSERT and DELETE tend to become slower as each 
time a record is either inserted or deleted, the indexes 
located in .MYI file also need to be modified. The cure in 
such a case is to index selectively. 

Index selectivity implies the difference in values stored 
or recorded in the columns of a table. Selectivity is 
measured on a scale of O or 1, wherein 1 implies that 
each value in the selected column is unrove. Generally, 
selectivity of 1 occurs with columns that are unrove or 
primary KEY, though this isn’t always the case and it varies 
with the nature of values stored in the given columns. 
For the sake of simplicity, we can stick to the following 
formula: 


SELECTIVITY = NO. OF DISTINCT RECORDS/TOTAL NO. OF RECORDS 


The above formula is a stripped down and simplified 
version for the purpose of understanding. If you so 
desire, you can use the alternate way to calculate 
selectivity by employing a production class database and 
finding the number of DISTINCT rows in it. Bear in mind 
though, that the number of DISTINCT values in a column 
may or may not always work perfectly. 

Higher selectivity means the operations shall be 
of shorter duration and vice-versa. As a result, lower 


selectivity is termed as an expensive operation while 
higher selectivity is an inexpensive operation. 

Finally, coming back to the sample table that we created 
at the start of the article. The awe a column is a PRIMARY 
KEY, and will thus have a selectivity of 1. the awe date 
column is indexed as well, so lets focus on it. Quite 
obviously, all dates cannot be distinct or untove and this 
column is bound to have a low selectivity. In such a case, 
it will not Serve as a good index and as a result, in spite 
of indexing the column, we got a full table scan in the first 
query that we ran earlier. 

Before performing a query, MySQL calculates the cost 
of the different ways in which the query can be performed 
and then picks the cheapest or most effective way. So 
if a low selectivity column is used for an index, it will 
overload the system. To avoid such overloading, MySQL 
may choose not to use your index if the selectivity is low. 
This is precisely the reason why even after using multiple 
indexes, your queries may still result in full table scans 
(read: slower outputs) and burden the system resources. 
In simple terms, the entire input and output process 
depends on the appropriateness of the indexing and 
querying. Hence, it becomes vital that indexes are used 
judiciously and selectively. 

In this article, we covered the myths and overlooked or 
relatively lesser known details about MySQL indexes, as 
well as the functioning of the MylSAM storage engine. | 
hope you enjoyed reading it. Happy querying! 


SUFYAN BIN UZAYR 
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for OpenBSD AMD/Intel consoles 


In this article | would like to describe the results of my work 
of tuning OpenBSD consoles for AMD/Intel PCs. These 
results are also applicable to computers with the same 
hardware architecture (amd64 or i386, see http:// 
www.openbsd.org/plat.html): servers, workstations, 
notebooks, etc. 


Terminal Descriptions 


What you will learn... 

¢ important facts about ASCII terminals 

« how to tune OpenBSD AMD/Intel consoles for comfortable work 
with mail and Midnight Commander 


and really did not have good support of navigation 
and function keys of a typical PC keyboard. Also | 
had some problems with colors/attributes (maybe they 


often worked on OpenBSD AMD/Intel PC consoles 


What you should know... 

¢ what is OpenBSD 

« how to install OpenBSD operating system 
« how to use OpenBSD packages and ports 


were videoadapter dependent). These issues exist long 
time and cause much inconveniences if you often work at 
console (not in a graphical environment!). 





Listing 1. Cyrillic support for AMD/Intel consoles 


# cat /etc/kbdtype 
ru 


Pica s/ete/rc. local 


ite or ls, Soin Woconsends om <a Uist, Shim) wetonrhoacdei.s fmem 


just sbim, woront lead ly Gs) Nor shave, mise) Cov tombs, Komsor—o x ikG 


for CONSOLE simeZz 37 co 
pulse) sbim/wecousero, -d)—f (CONSOLE 
just /sbim/wsconsefg —t sUx25br —e vil00) stCONSsOnm} 


done 


/sbin/wsconsctl -w keyboard.mapt="keycode 184 = Mode Lock" >/dev/null 
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Terminal descriptions for OpenBSD AMD/Intel consoles 








Listing 2. Terminal descriptions patch for AMD/Intel consoles 


Apply, rats parca by doing: 
cde Ust, sre 


Pabch —pU) <OpenBeD PC rconsolle catch 


And then rebuild and install the terminal description 
databases: 
cd share/termtypes 
make obj 
make cleandir 
make depend 
make 


make install 


After that you can use these emulations for AMD/Intel PC 
consoles: 

=] ceond—m 

= oOceond 

= eceon—m 


- peeon 


Also you can replace default "vE220" to “pecon” im 7etc/ 
ELys 


for “console” 6 "tive entries. 


--- ./share/termtypes/termtypes.master.orig Mon 


NOver2 e552 07200 


+++ ./share/termtypes/termtypes.master Sun Aug 14 18:33: 


oe ZO 1. 
@@ -1649,6 +1649,55 @@ 
gansi-w|QNX ansi for windows, 


xvpa, use=gansi-m, 


+#### OpenBSD consoles 


+# 

+# From: Alexei Malinin <Alexei.Malinin@mail.ru>; July, 
ee) lee 

+# 


+# The following terminal descriptions for the AMD/ 
intel PC console 

+# were prepared based on information contained in the 
OpenBSD-4.9 

+# termtypes.master and wscons(4) & vga(4) manuals 
(2010, November). 

+# 

+pccont+keys|OpenBSD PC keyboard keys, 

Te Mos- le Kean—- Cn kolo lem <eull— Ds kewal— \ey| be 


kcuf1=\E[C, 

+ keuul=\E/A, kdchl=\E[3~, kend=\E/8~, kent=*M, kfl=\E[11~, 

to kOe id 23s) ke 2-2 ke ee, 

+ kf3=\E[13~, kf4=\E[14~, kf5=\E[15~, kf6=\E[17~, kf7=\E[18~, 

+ kf8=\E[19~, kf9=\E[20~, khome=\E[7~, kichl=\E[2~, 

+ knp=\E[6~, kpp=\E[5~, krfr=*R, kspd=*Z, 

+pccontacs0|simple ASCII pseudographics for OpenBSD PC 
console, 

eS e— t= Oe Tener i OO E on 
ttutviwtx!|!}#~o, 

+pccontacs|default ASCII pseudographics for OpenBSD PC 
console, 

tj acsce—tay, y,---- 00" “aatroghinia i] kkMimmnccopedqqrursseruu 
VVWWRKVV2ZS11)||}}<<, 

Foecon colorsANS! colors for CoenboD PC. console, 


+ bce, 


+ op=\E[mS$<2>, setab=\E[4%p1%dmS<2>, 

+  Ssetat—\hi32pilcdms<2->, 

+pccontbase|base capabilities for OpenBSD PC console, 
ally <p, Mest, Oe, mxon, xenl,. xen, 

cols#80, it#8, lines#24, 

bel=*G, 
cup=\E[%i%p1%d; %p2%dHS<5>, ed=\E[JS<50>, el=\E[KS<3>, 
ell=\ELIKS<3 >) senaacs— E(B E)0, home—\ElHe<5>, fe- 1, 


ellearc— Hi Zuo<50> er — Ty 


ino— Jp mel \EES<2- trey — 5 | ime<2>,bl— BMo<5>)s uilees- ©, 
Mi O= VN La 2s sas P= es <s0>- 

sgr=\E [m$<2>%?%p1%p3% | St \E [ 7m$<2>%; $?Sp9St\016%e\017%;, 
sgr0=\E[m$<2>\017, smacs=*N, smso=\E[7m$<2>, 


+o + + FF +t + + + 


+pccon0-m|OpenBSD PC console without colors & with 
Simple ASCII pseudographics, 
+ use=pccontbase, 
+ use=pccontacs0, 
+ use=pccontkeys, 
+pccon0|OpenBSD PC console with simple ASCII pseudographics, 
+ use=pccon0-m, 
+ use=pccontcolors, 
+pccon-m|OpenBSD PC console without colors, 
+ use=pccontbase, 
+ use=pccontacs, 
+ use=pccontkeys, 
+pccon |OpenBsbD PC console, 
+ use=pccon-m, 
+ use=pccontcolors, 
i 
#### NetBSD consoles 
# 


# pcvt termcap database entries (corresponding to release 3.31) 
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Note 
Commands and options discussed in this article refer to 
the latest version of OpenBSD — 4.9. 

Let us look at my typical work environment: 


¢ anAMD/Intel PC with VGA display, 

¢ PC keyboard (usually 104-key with cyrillic letters), 

¢ yvt220 default console terminal type, 

¢ cyrillic support for the 2 and 3 consoles (Cétr/+Alt+F3 
and Ctrl+Alt+F4), fragments for configuration files 
(in my /etc Catalog) which differ from defaults are on 
Listing 1. 


Note 
Useful links about OpenBSD cyrillization: 


¢ http://www.obsd.ru/8/?q=node/1172 
¢ http://www.openbsd.ru/docs/howto-cyrillic.html 
¢ http://www.openbsd.org/taq/faq/.html 


The console environment described above is suitable 
for mail and Midnight Commander but not all navigation 
and function keys work as expected, some color/attribute 
issues are annoying. 


Note 

MidnightCommander (htto:/Avww.midnight-commander.org/) 
is a handy full-screen file manager but it is not in 
the base OpenBSD distribution. It can be _ installed 
from packages or ports see http:/ 
www.openbsd.org/fag/faq15.html. 

Before delving into details of tuning the console let 
us recall how full-screen applications interact with 
ASCII (or alphanumeric) terminals. These applications 
typically use high-level screen management library. In 
turn this library uses a terminal descriptions database 
for performing’ high-level screen management 
functions (cursor movement, setting colors, etc). 
The most famous screen management library for 
ASCII terminals is curses which uses one of the two 
terminal descriptions databases: termcap OF terminfo. 
These terminal description databases make curses 
terminal independent, and the terminal independence 
is the foundation Of curses. termcap ANd terminfo are 
the mechanisms by which UNIX systems support 
hundreds of varieties of ASCII terminals without the 
need for special drivers for each terminal. Most of the 
capabilities in termcap ANd terminfo are identical except 
in name. 


(ports/misc/mc), 





Listing 3. Tuning display resolutions for AMD/Intel consoles 


Dee <n, visi, Slim Ws cOnserG = eu. <1 Ist, slim) Wotome load 


and 


Deele—<e, tisk, Sim weconsergu ser <u list, Slim) We tommlLoad 


and 


Teele ><a, Us, coin Weconserg= eu — ay Sit, slim Wotomeload 





then 
Vise, shiny wotontloade— hve | Usk, shace, mise) MeveEfomts, Kole—c>e x0 


then 
just som, woromtloedd im l0n, tsi (shace, mise) pert tomes, Kom >to osc Kl 


then 
pus sbam/wotomt load ke Kou) lser/ stance, masc, Peveronte, Kore r—oxlo 
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Terminal descriptions for OpenBSD AMD/Intel consoles 


Note 
Important 
terminals: 


OpenBSD manual pages about ASCII 


* ttys (5) — terminal initialization information 

* wsconscfg (8) — Configure virtual terminals on a wscons 
display 

* wscons (4) — Console access 

* vga (4)— VGA graphics driver for wscons 

* stty (1) — set the options for a terminal device 
interface 

* tset (1) — terminal initialization 

* tput (1) — terminal capability interface 

* termcap (5) — terminal capability database 

* terminfo (5) — terminal capability database 


So, the problem to be solved is that vt220 terminal type is 
not well suited for the AMD/Intel PC console. 

What could | do?.. In the OpenBSD _ terminal 
descriptions database (I used the text version of 
termcap — /ust/share/misc/termcap) | found descriptions 
for NetBSD, FreeBSD, Linux (and for many others 
operating systems) consoles but nothing suitable for 
the OpenBSD AMD/Intel PC console! So the only 
solution would be to prepare a complete and correct 
terminal description for this console... | read OpenBSD 
manual pages and many others information sources 
that might be relevant to ASCII terminals, curses, vtioo, 
vt220, xterm, ANSI, etc... 


Note 

The best source of information | ever read is the book 
“termcap & terminfo” published by O’Reilly in 1988 (http:// 
oreilly.com/catalog/9780937175224/). 

At last | prepared several terminal descriptions for the 
AMD/Intel PC console. The patch against OpenBSD- 
4.9 sources is on Listing 2. Do not forget to read the 
comments at the beginning of the patch!. 


Note 
This patch can be downloaded from here: http:// 
am1225.narod.ru/software/OpenBSD_PC_console.patch. 


Note 
The OpenBSD FAQ describes how to build the operating 
system from sources: http:/www.openbsd.org/fag/ 
faqd.html. 

After patching OpenBSD it will be possible to use 
several terminal types for AMD/Intel consoles: 


* pccon IS Suitable for color diplay with 80x25 resolution, 
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* pccon-m IS Suitable for black and white diplay with 
80x25 resolution, 

* pccond IS Suitable for color diplay with 80x40 and 
80x50 resolutions, 

* pccond-m IS Suitable for black and white diplay with 
80x40 and 80x50 resolutions. 


There are no pseudographics for 80x40 and 80x50 
display resolutions, so | prepared separate terminal 
descriptions pcconod and pccono-m for these cases. 


Note 
To set up resolutions it is necessary to use the appropriate 
font: 


° /usr/share/misc/pcvtfonts/koi8-r-8x08 for 80x50 resolution, 
° /usr/share/misc/pcvtfonts/koi8-r-8x10 for 80x40 resolution, 
° /usr/share/misc/pcvtfonts/koi8-r-8x16 for 80x25 resolution. 
The appropriate fragments of /etc/rc.iocal are on 
Listing 3. 


Note 
To eliminate some color/attribute issues | usually run 
Midnight Commander as follows: 


# mc -c --colors errdhotnormal=black, lightgray:menuhotsel= 


lightgray,black 


That is all | have to tell about my work. Also | hope 
that the OpenBSD developers will find these terminal 
descriptions helpful and include them into the base 
OpenBSD distribution as the default configuration for the 
AMD/Intel console. 


ALEXEI MALININ 

Alexei graduated with a degree from applied mathematics. His 
adventure with UNIX started in 1990, and he works as a system/ 
network administrator since 1991. He is an OpenBSD fan since 
version 2.2. 

Alexei.Malinin@inetcomm.ru 
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(Ab)using VideoLAN 





Learn what you can do with your video and audio using 
powerful VideoLAN command line interface 


Dealing with video and audio data is part of our everyday 
life. Sometimes, though, we need to do things that fall into 
yadvanced” category. What tools should we use then? 


What you will learn... 

¢ That VideoLAN is a full-featured multimedia framework 

« That you can combine VideoLAN’s modules into powerful pipelines 
« How to use VideoLAN in four real-life scenarios 


number of multimedia-related solutions are present 
A: Open-source world right now. Among the most 
popular and ubiquitous are MPlayer and VideoLAN. 

They share a fair amount of the codebase (both use 
ffmpeg), but have somewhat different design. MPlayer is 
famous for having a command line option for everything. It 
has rich functionality and you can enable or disable certain 
features using command line flags. Still, if you need to do 
something that MPlayer developers didn’t expect you to 
need, you're in trouble. 

VideoLAN’s design (at least from user perspective) is 
quite different. It's not just a player — it’s a full-featured 
multimedia framework, like GStreamer or DirectShow. 
Although it has rather simplistic user interface, you have 
a total control over VideoLAN via the command line. You 
can build pipelines of filters and pass them as command 
line arguments. Unlike MPlayer, which can only play (you 
have to use MEncoder to encode data), VideoLAN can do 
any crazy thing you want with your video or audio. 

VideoLAN’s problem though, is that this incredible 
flexibility isn’t that well documented (though situation is 
improving continuously). Let me share some examples of 
what VideoLAN can do: 


Scenario 1 


My desktop FreeBSD machine is connected to my stereo 
and | use it for music. But it does not have a display, which 
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What you should know... 
¢« Howto use command line 

¢ Core networking concepts 

¢ Core video/audio concepts 


makes watching movies on it, er... problematic. So what | 
want is to be able to watch the movie on my laptop while 
redirecting the audio to my desktop machine. 

Let's start a VideoLAN that will listen to the UDP socket 
on port 1234 and play everything that it receives. 


vic udp:// 


Command that looks like vic {[smtn] tells VideoLAN 
to open something. In this case it's a UDP socket. 
VideoLAN uses port number 1234 by default. 

Now what we need is to start playing video on the 
laptop. We don't need any sound there, instead we want 
audio to be streamed to a desktop machine. Also we don't 
want to stream video to desktop machine — all we care 
about there is sound. Let’s try the following command: 


vlc some movie.avi --sout="#duplicate{dst=display{noaudio, 
delay=1250},dst=duplicate{dst=std{mux=ts, access=udp, dst= 
192.168.1.42:1234}, select=\"novideo\”}}}}"% 


Here we build a full fledged pipeline. duplicate module 
dispatches stream to a multitude of nested modules 
(modules’ chains specified with ast-). 

display IS a module that, surprisingly enough, displays 
the stream on the current screen. It also plays sound on 
the local audio subsystem. But we disable it with noaudio 
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parameter, as we need only video on the laptop. Also we 
USE delay=1250 — this is the default buffering time used by 
VideoLAN when transmitting and receiving data over the 
network. In order for picture and sound to be in sync, we 
need to delay picture a bit — so that we have enough time 
to buffer sound. 

Second destination point of aupiicate module is another 
duplicate module. We need it to specify se1ect=novideo 
option, which will prevent video from being sent to std. 
std stands for standard — it's a standard sink for the 
data. In this particular case it sends the audio via udp 
to 192.168.1.42:1234. As we need to send a stream in 
some format, we specify mux-ts which means MPEG-TS 
— MPEG container format specifically designed to be used 
in networking environment. 

Now we have eveything settled and you should hear the 
sound coming from the desktop machine and still see a 
perfectly synchronized video on your laptop. 


(a bit weird, but nice for demonstration). | have 2 laptops 
and | want to split the movie between them — i.e. to use 
their screens as one large screen. The laptops should 
stand next to each other, the left one should show the left 
half of the picture and the right one — the right part. 

Not everything in VideoLAN can be tuned in the 
pipeline command line argument (--sout=...). It also has 
a number of general-purpose command line arguments. 
For example — --crop, which tells VideoLAN how to crop a 
picture that is displayed locally. 

Let's assume that our movie's size is 720x304. 

In order to fulfill the scenario, we need VideoLAN running 
as UDP server on one of the laptops. We'll receive the full 
picture here and will have to crop it in order to show only 
the right half. 


vile udo<¢/7 ==crop=" 3092303431040" 


crop argument tells VideoLAN to use picture of the width 
309 and height 303 with the offset 310x0 pixels from the 
top left corner of the original picture. 

Let’s execute the following on the second laptop: 


vlc some movie.avi --sout="#duplicate{dst=display{delay= 
1250},dst=duplicate{dst=std{mux=ts, access=udp, dst= 
192.168.1.42:1234},select=\"noaudio\"}}"” --crop=' 309x303+0+0' 


Similar to the previous scenario, we display the video 
on local display with a delay of 1250 milliseconds. crop 
argument tells VideoLAN to crop the picture to size 
309x303, which effectively shows us only the left part of 
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the picture. We also stream video stream (without audio 
data) to our UDP server host to display the second half 
of the picture. 

Now, if we run VideoLAN using the commands above on 
2 laptops, we'll see half of the picture on each laptop with 
audio being played only by the second one. 


Scenario 3 

| am not at home and | want to use my laptop to watch 
a DVD movie stored on the hard drive of my desktop 
machine. 

The idea is that you may have a low-bandwidth 
connection that will make raw DVD data streaming 
impossible. Therefore what we need to do is to transcode 
datastream on the fly. It’s really not that hard. Let’s start 
with the VideoLAN on the home machine. 


vie dvd:///home/user/saved/dvd --sout=#transcode{vcodec=h264, 
vb=1024,deinterlace, acodec=mp4a, ab=96, channels=2}: 


std{access=http,mux=asf,dst=10.0.0.1:10005} 


Couple of points here. First, we play DVD that is stored 
on disk — so we use a Special syntax for that. Then, 
we USE --sout argument to build our pipeline. transcode 
module is the VideoLAN’s swiss army knife for all kinds 
of stream transformations. 

Most of the options specified in the example are self- 
explanatory, so let's cover them just briefly: 


¢ vcodec — what video codec to use for transcoding. 
VideoLAN has implementations of practically all 
codecs that exist at this moment. We use h264 as 
one of the most effective. 

¢ vb — stands for video bitrate. As our bandwidth is 
limited, we limit the bitrate to 1MBit. 

¢ deinterlace — means that we want the picture to be 
deinterlaced prior to transcoding. 

¢ acodec — what audio codec to use. We use mp4a as 
one of the most effective ones. 

¢ ab -— audio bitrate 

¢ channels — number of audio channels in audio 
streams that we want to have. It’s reasonable to 
downmix audio to 2 channels when transmitting data 
over the network. 


Another important moment is that we USE access=http 
(instead Of access=udp IN previous examples). With 
access=udp, VIAEOLAN pushes the stream to the desired 
address. With access=nhttp it acts as a server by itself. 

That’s why on our remote machine we'll have to use the 
following command line: 
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vle http://10.0.2.1:10005 


The above command will connect to the VideoLAN 
started on the home machine and will stream transcoded 
data from it. 


Scenario 4 
Transcode the movie to be played on iPhone. 

This is fairly common. There are tons of tools that can 
do this. Still it's worth pointing out that you can also use 
VideoLAN for iPhone-targeted transcoding. here’s the 
command line you need: 


vic in.avi --sout="#transcode {width=320,canvas-height=240, 
vcodec=mp4v, vb=768, acodec=mp4a, ab=96, channels=1,audio- 


sync} :std{access=file, mux=mp4, dst=\"out.mp4\"}” 


This example is also fairly straight-forward. However, we 
use some new options here: 


¢ width — resize the video to have a given width 

¢ canvas-height — note that we use it and not just 
height. When you use canvas-height, |f the video 
can't be resized to a given height without changing its 
aspect ratio, it will be padded with black stripes. 

¢ audio-sync — it will insert additional frames or drop 
some frames in order for video and audio to be 
perfectly synced. Useful to avoid potential synchro- 
nization problems. 


It’s also worth noting that we uSe access=file aS OUr OUtpuUt 
and MP4 as container format. 

lf we run the above command, VideoLAN will start 
converting the stream as fast as possible — this is because 
we haven't specified display in our pipeline — so VideoLAN 
can process video faster than in realtime. 


Four scenarios described above show the power of 
VideoLAN’s video and audio processing abilities. 
However, VideoLAN can do a lot more. For example, 
it has pluggable interfaces system, which allows you 
to control VideoLAN via text input, window UI, infrared 
remote controller, telnet, irc and so on. But this is 
probably a different topic that will be covered in one of 
the next issues. 


MICHAEL BUSHKOV 

Michael Bushkov is an active FreeBSD user and former 
committer. He is one of the main contributors of FreeBSD’s 
nsswitch caching daemon (nscd) implementation. 
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NetBSD Intrusion 
Detection Server 


How can we describe the functions of such a server? 


Sometimes special type of systems are needed to be running on 
the server. This server will serve different purposes, it will take 


care of the network security. 


What you will learn... 

¢« How to run snort Intrusion Detection System on your machine. 

- If you have previously bad experience with hackers, intruders, 
now you have the opportunity to detect such intruders. 

¢ What an IDS is and how it works. 


buy super-duper highly expensive IDS (Intrusion 

Detection System) machines, | will show you how 
to prepare such a custom made machine with a usual 
server. We all need IDS machines put in our networks. 
The world, and the internet, have become more hostile 
and sometimes the company’s security depends highly on 
the IDS that is silently processing packets somewhere in 
the network. 

The Intrusion Detection System shortly called IDS is a 
software system designed to help you to detect attempts 
of accessing computer systems through a network. The 
IDS can help us to detect any unusual network activity 
and can alert us about that. The system cannot directly 
detect attacks within properly encrypted traffic but with 
appropriate rules you can have a wider picture of what 
is going to happen in your network or machines. So, the 
better are the rules that the system use the better are 
the detection results. And let’s do not forget that hackers 
become more innovative after every attempt. 

An intrusion detection system is used to detect several 
types of malicious behaviors that can compromise the 
security and trust of a computer system. These types 
of behaviors include network attacks against vulnerable 
services or host based attacks that aims to take control of 
your machines. You and your machines as well as all your 
equipment are targets because most of the hackers want 
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What you should know... 

« What a NetBSD is. A basic knowledge of BSD operating system is 
required. 

« To have bad experience with hackers, intruders. 

- A basic knowledge of networks. 


to gain access to what you have. In order to achieve that 
they may try many ways, such as unauthorized logins and 
access to sensitive files, or using of viruses, trojan horses, 
and worms. 

An IDS can be composed of several components: 
Sensors which generate security events, a Console to 
monitor events and alerts and control the sensors, and a 
central Engine that records events logged by the sensors. 
Also IDS can use several output engines like database, 
log files, pipes or network sockets. Everyone of the output 
engines is useful and has its own benefits. These output 
engines can also affect the performance of the system. Of 
course, it is not the same to log to a local file and to log to 
a central database server. And it is not the same to log to 
a structured local file and plain text file. 


The Operating system of our choice - NetBSD 
The NetBSD is primarily focused on high quality design, 
Stability and performance of the system. | prefer to use 
NetBSD because at first: | am a fan and second: | am 
an enthusiast. But one of the main reasons is that | have 
some small experience with other types of operating 
systems and | know why to use NetBSD. NetBSD is very 
fast and does not need a machine for 100 000 euros just 
to make packet inspection. Some people probably prefer 
FreeBSD or OpenBSD, but | think that NetBSD is perfect 
for that kind of work. 
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NetBSD Intrusion Detection Server 


The Intrusion Detection System of our choice 

- Snort 

Snort is a free and open source network intrusion 
prevention system (NIPS) and network intrusion detection 
system (NIDS) capable of performing packet logging and 
real-time traffic analysis on IP networks. 

Snort can perform various ways to analyze and detect 
hacking activity. Some of these ways are protocol 
analysis, content searching/matching, also it is used to 
block and detect a variety of attacks and probes, such 
as buffer overflows, stealth port scans, web application 
attacks, SMB probes, or OS fingerprinting attempts. The 
software is mostly used for intrusion prevention purposes, 
by dropping attacks as they are taking place. 

There are several running methods that are available in 
Snort. It can be configured to run in the following modes: 

Sniffer mode. In this mode, Snort simply reads the 
packets off of the network and displays them for you on 
the console. 

Packet Logger mode, which logs the packets to disk. 

Network Intrusion Detection System (NIDS) mode. You 
have complex configuration options, that allow Snort to 
analyze network traffic for matches against a user-defined 
rule set and performs several actions based upon what it 
sees. 


| do not have the intention to describe all the aspects 
of the network security and probably you do not wish 
that, the thing that is my intention to show you is 
how to implement Snort in you NetBSD system. So, | 
intend to show you the things as they are based on my 
experience. On every documentation in the internet you 
can find dry documentation how to use Snort, what its 
options are and what that options mean but there are 
rare information from the real life. And my efforts are 
mostly focused on this. 

An intrusion detection system like Snort is a perfect 
tool to protect you but it should be used properly to take 
maximum effect. | would remark that such a system is 
especially in benefit when is used in combination with 
optimized and highly effective operating system like 
NetBSD. We all know that NetBSD is preferred choice 
for servers with requirement for high reliability. Especially 
in firewalls, gateways or border machines accessible by 
internet. | would like to say that | prefer to use Snort for 
one more thing. The case where | have to protect specific 
services against bug exploitation. Maybe for many people 
is strange how such a system could be used to protect 
services from their own bugs to be exploited, but it is 
possible. Let me show you a real life example from my 
personal experience. 





Listing 1. /nstallation of Snort 


# pkg add snort 
SNOCE-2. 6.5. 
SNOMEa2 10s a 


Creating group '!snorke”! 


Creating user *"snort™’ 





























usr/pkg/share/examples/snort/classification.config to /usr/pkg/etc/snort/classification. config 
usr/pkg/share/examples/snort/gen-msg.map to /usr/pkg/etc/snort/gen-msg.map 
usr/pkg/share/examples/snort/generators to /usr/pkg/etc/snort/generators 
usr/pkg/share/examples/snort/reference.config to /usr/pkg/etc/snort/reference. config 
usr/pkg/share/examples/snort/sid-msg.map to /usr/pkg/etc/snort/sid-msg.map 
usr/pkg/share/examples/snort/snort.conf.default to /usr/pkg/etc/snort/snort.conf 


usr/pkg/share/examples/snort/threshold.conf to /usr/pkg/etc/snort/threshold.conf 


useradd: Warning: home directory '/nonexistent' doesn't exist, and -m was not specified 
SUNOe lea = Ory Slee ene @ioy dame) 
SilOii 6 or ee@m inne ay, 
SulCme = 0e le meeO, tneie, 
SNOGE-2 262 os C@oy ing 
SiO) b= an 6 SG elevate) 
SilCisien 20 Sik COM ine 
SOG oon =meo, diner, 
Si@iate a! ters Sie ee Oy iene, 


usr/pkg/share/examples/snort/unicode.map to /usr/pkg/etc/snort/unicode.map 





The following files should be created for snort-2.8.5.1: 


/etc/re.d/snort (m=0755 
/usr/pkg/share/examples/rc.d/snort 








SNetBSD: MESSAGE,v 1.5 2005/09/14 12:46:52 adrianp Exp $ 
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Listing 2a. Output of running Snort, Initializing Snort 


OUEDUE Of Kunming Snore 


Running in IDS mode 


--== Initializing Snort ==-- 
itp ializing Oueoue EF ligins! 
Invturelizing Preprocessors! 
nase erez hing.) PiLtiG) dines! 


Parsing Rules file /usr/local/etc/snort/snort.cont 


Povtvan itr SEORh >. cenmed sas 60), 
FOruVvass olin ODE WE OR le dellned = 0s he o-oo 35 
FourVers OR Chaser ORs Sdcineds: si l>Zi 


Frag3 global contig: 

Max Brags: 65536 

Fragment memory cap: 4194304 bytes 
Frag3 engine config: 


Target-based policy: FIRST 


Diaclopieieie, ier ee A 
Heagnene wel wiaimlie (mOE Used joan 3 
Fragment Problems: 1 
Stream5 global config: 

Track TCP Sessions: ACTIVE 
Max TCP sessions: 8192 
Memcap (for reassembly packet storage): 8388608 
Track UDP sessions: INACTIVE 

Track ICMP sessions: INACTIVE 
Sereams DEP Policy cong: 
Reassembly Policy: FIRST 

Timeout: 30 seconds 

Marat ese 

OpElens: 

Stacre FilUuShpoim: Sizes: YES 
Reassembly Ports: 

Zi vclienk (POotprintk) 

Zo Cliene  (POotori nt) 

25 Clienk {(FPOOEpr iM: ) 

a2 Clicnis (POOrOr iar) 

53 Clicne (FOOkorame) 








80 client (Footprint) 
LO elvent (Footprint) 
lit cliene {(Footorint) 
135 client (Footprint) 
L236 Glen: GROOEDr Pic) 
ie | Verenr WCRCOEOr Emr) 
130 (Clren (FOOrpr intr) 





143 client (FooOEprint) 
445 client (Footprint) 











DIS cliente (HOOrO mmr) 


514 client (Footprint) 
1433 client (Footprint) 
is21 Client (Pootorint) 
2401 client (Footprint) 
33016 clients (POoupr mmc) 
HttpInspect Config: 


GLOBAL CONFIG 

Max Pipeline Requests: 0 

Inspection Type: STATELESS 

Deiecr licen? Usesies 0) 

TIS Unicode Map Filename: /usr/local/etc/snort/ 
unicode.map 

IIS Unicode Map Codepage: 1252 

DEFAULT SERVER CONFIG: 

Server profile: All 

Pouters o0 c0C0o 30 

Flow Depth: 300 

Max Chunk Length: 500000 

Max Header Field Length: 0 

Inspect Pipeline Requests: YES 

URI Discovery Strict Mode: NO 


Disable Alerting: NO 

Oversize Dir Length: 500 

Only inspect URI: NO 

Ascii: YES alert: NO 

Double Decoding: YES alert: YES 

ou Encoding: YES alert: YEo 

Bare Byte: YES alert: YES 

Base36: OFF 

ULE 32 OEE 

Lis Unweode: YES alert: Es 
Multiple Slash: YES alert: NO 

PES Backs lasit svE Ss salecre- iO 
Directory Traversal: YES alert: NO 
Web Root Traversal: YES alert: YES 
Apache WhiteSpace: YES alert: NO 
TIS Delimiter: YES alert: NO 

TIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG 
Non-RFC Compliant Characters: NONE 
Whitespace Characters: 0x09 0x0b 0x0c 0x0d 
foc decode aegumenus. 

Portus tO decode RPC om; Wile 37 7 ih 
elerb  Eragmente: ENACT VE 
lewewlarge eeagmienes eu hy, 

eler tp nconeLete: eli: 

elle ULE mele eScuesics | INCTINWIE 


Poruscan Debeci ron Cong: 
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Listing 2b. Showing configuration 


Detect Prorocols: ICP UDP ICMP IP 

Dekeck ocan Type: (Pork Seam POLesWeep CecOy Poreoean 
distributed POLescen 

Sensitivity Level: Low 

Memcap (in bytes): 10000000 

Number of Nodes: 36900 


Tagged Packet Limit: 256 

Loading dynamic engine /usr/local/lib/snort/ 
dynamicengine/libsf engine.so... 
done 

Loading all dynamic preprocessor libs from /usr/local/ 
lib/snort/dymamtepreprocessor/ 22. 

Loading dynamic preprocessor library /usr/local/lib/ 
Sia@iie/ Chyiaieiml Coxe so OCe ssi) 7 als 
SiCyMamme (PLeprOcessOr exaliple: sO... 
done 

Loading dynamic preprocessor library /usr/local/lib/ 
snort/dynamicpreprocessor//libsf_ 
dcerpe preproc. so... done 

Loading dynamic preprocessor library /usr/local/lib/ 
snort/dynamicpreprocessor//libsf_ 
CSeOLeO EOC. co .. Cone 

Loading dynamic preprocessor library /usr/local/lib/ 
snort/dynamicpreprocessor//libsf_ 
EOS LING Creede 7 SO 55. ClO mks 

Loading dynamic preprocessor library /usr/local/lib/ 
SiMe / Chy mela Core sorsOCS seo) / Llssie 
smtp preproc.so... done 

Loading dynamic preprocessor library /usr/local/lib/ 
snort/dynamicpreprocessor//libsf_ 
SS PLeproe.sO... cone 

Loading dynamic preprocessor library /usr/local/lib/ 
snort/dynamicpreprocessor//libsf_ 
Sc lO GepGOC sO- COME 

Finished Loading all dynamic preprocessor libs from /usr/ 
local/lib/snort/dynamicpreprocessor/ 


FTPTelnet Config: 


Inspection Type: stateful 

Check for Encrypted Traffic: YES alert: YES 
Continue to check encrypted data: NO 
TELNET CONFIG: 

HOES ao 

Are You There Threshold: 200 

Normalize: YES 

Detect Anomalies: NO 


Bie CONE IG: 


FTP Server: default 

Reuamcnme ys 

Check for Telnet Cmds: YES alert: YES 
Identify open data channels: YES 

ETP Client; default 

Check for Bounce Attacks: YES alert: YES 
Check for Telnet Cmds: YES alert: YES 
Max Response Length: 256 


SMe Contig: 
P@isiea no Jc / eau 
Inspection Type: Stateful 

Normalize: EXPN RCPT VRFY 

Lgnoce Paka! |e 

ignore Tis Datas No 

Ignore SMTP Alerts: No 

Max Command Line Length: Unlimited 

Max Specific Command Line Length: 

EIRN S00 EXPNEZ55 BEEO?500 HELP S500 MAIL? 260 
REPRE? 300) VRE Ys 255 

Max Header Line Length: Unlimited 

Max Response Line Length: Unlimited 
X-Link2State Alert: Yes 

Drop on X-Link2State Alert: No 


Alert on commands: None 


DCE/RPC Decoder config: 

Autodetect ports ENABLED 

SMB fragmentation ENABLED 
DCE/RPC fragmentation ENABLED 
Max Frag Size: 3000 bytes 

Memcap: 100000 KB 

Alert if memcap exceeded DISABLED 


DNS Contig: 

DNS Client rdata txt Overflow Alert: ACTIVE 
Obsolete DNS RR Types Alert: INACTIVE 
Experimental DNS RR Types Alert: INACTIVE 
Oise 

SoLEP comiug: 

Encrypted packets: not inspected 


POEs. 


OZ, 22s oa os 


FHLFFHLFFFLFFE LEFT LETTE EFFEEFT HEEFT HEF EH 444444444444 


Inttrelazing wale chains. 


1 Snort rules read 





www.bsdmag.org 


BSD 


MAGAZINE 





SECURITY 








Listing 2c. Reading rule chains 


detection rules 
decoder rules 
preprocessor rules 


Option Chains linked into 1 Chain Headers 


Qn nn eS ee 


Dynamic rules 


FHLFFHLFFFLFFT LEFT LEFT EFFTEEFT HEE H E+E 4444444444444 





Pa SSeS aes ae [Rule Pore Counts (=—-—--=-4-—-—- = 4. 

ED UGOn emp) aK 

sacs 0) 0 10 (0 

es en O00 

any 1 0° 0 0 

new OO 

std 200050 
Sa a a Ce ge cee re eS eee ee 
fess SaaS See Soe Pehreshiolding=comid j===— == === —————— 
| memory-cap 1048576 bytes 
Sas a ea tn a Pelee ciienke ng gicbal eae a eae naa ae =o 
| none 
Sa a Rene sinvedliclintc eee | 
| none 
aa ee ee SUD iOS SiO saa 
| none 


Rule application order: activation->dynamic->pass-—>drop- 
palleri=> log 

Log directory = /var/log/snort/ 

Verifying Preprocessor Configurations! 

0 ou Of 57 slowbirs in use. 


kkk 


*** interface device lookup found: em0 


kKk* 


Initializing Network Interface em0 


Decoding Ethernet on interface em0 


[ Port Based Pattern Matching Memory |] 
PAC BNA oe cee iin hOe SUNG a 6 iia 
Instances : 4 
Patterns: og 
Paktecn elias us. Oy 
Num States = 225 
Num Mateh States ? 69 
10.83Kbytes 
ook 
Lik 


Memory 


Patterns 





Maen. biaecies 


--== Initialization Complete ==-- 


Pia 2 Om is 

oO) = Version 2.6.25) \(Buald 6) Nec Bsp 

'''' By Martin Roesch & The Snort Team: http:// 

www.snort.org/team.html 

(C) Copyright 1998-2008 Sourcefire Inc., et al. 

Using PCRE versvon: 72) 2003-05-07 

Rules Engine io? sNOkP DETECTION ANGINE Verston is 
<Burlady ia 

Preprocessor Ooject + ot (sob Versron el) -Burid 

Preprocessor Objects jot oon Version, I <Burid 1 

EGewrocescom Oogect 00 yo) LE aversion) Pe <Butids 

EEcprecessor Ob iceu: 3 of UIP lair Version sbi shi 

Prepi@ceocor Wbicem on Non Vers lone BUnel cde 


PrepEocessor Object :) of VeERPe Verstonl Pe-buiid a: 





Pucprecessor Objeee: oF Uynanic waxaiple rreprocesaor 
Version 120) <Bueka i> 

Not Using PCAP FRAMES 

fe Cauche Gnt-olonal: 

Packet Wire Totals: 

Received: 0 

Analyzed: 0 (0.000%) 

Dropped: 0 (0.000%) 

OUrSrancime: 0 0 2000s) 





Breakdown by protocol (includes rebuilt packets): 
Pe (02000) 
Ponomse: Oe (00002) 
VLAN: 0 (0.000%) 
FEVOs 0 (05 0005) 
PEO EO (00002) 
rPooprs: 0) (020002) 
EE occ > 0m (Oe N00.) 
EPA (0 000.) 
fAdiuse= 0 (020007) 
Ree os (UL 000) 
UDP 62 0 (0.0002) 
TEMP Gs 00. 000.) 
CME EE = On O00.) 
TCE OOF OIG.) 
EO COE 000.) 
reMes 0 (05000) 

Te Pdiuse:) 00. 0.00 3) 
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Listing 2d. /nitialization Complete 


UDEGrSe. 05 (0. 000", ) 
ECMPdrs: 0 (020007) 
FRAG: 0) (0.0007) 
FRAG 6: 0 (0.000%) 
EAPOL: 0 (0.000%) 
EOTAEOOR 0) (02000) 
LEX OO. O00.) 
OLHER? 0(0- 000.) 
DISCARD. 0 (020007) 
invchaksSum: 0 (0.0002) 
oo G 0 (07 0007) 
Sor e200 O00.) 
Tota () 





ACETOn slals: 
ALERTS: 0 
LOGGED: 0 
PASSE (0) 





Prado sSteaeloumes: 
Total Fragments: 0 
Frags Reassembled: 0 
Disicards = 0 

Memory Faults: 0 
Timeouts: 0 

Overlaps: 0 
Anomalies: 0 

Alerts: 0 
FragTrackers Added: 0 





FragTrackers Dumped: 0 
FragTrackers Auto Freed: 0 
Frag Nodes Inserted: 0 
Frag Nodes Deleted: 0 





Sieee aman oieeiaihs mes 

Hota sess tons: 0 

ECP sessions: 0 

UDP sesstons 0 

ICMP sessions: 0 

TCP Prunes: 0 

UDP Prunes: 0 

ICMP Prunes: 0 

TCP StreamTrackers Created: 0 
TCP StreamTrackers Deleted: 0 
ECP Timeouts: 0 

TCP Overlaps: 0 

TCP Segments Queued: 0 

TCP Segments Released: 0 

TCP Rebuilt Packets: 0 

TCP Segments Used: 0 





Lory Disea cele 10 
UDP Sessions Created: 0 


UDP Timeouts: 0 
UDP Diseards.; 00 


Events: 0 

















Recently | wrote a server application that receives and 
sends data through a port to other clients in the network. 
Nothing special, anybody can write such a daemon to 
do that. Yes, exactly, but | am not a perfect programmer 
and | usually have some bugs in my applications (like 
many developers). In fact, who does not make mistakes? 
Probably the one that does not work... 

So, this server had some weak points and | needed 
to protect it from exploitation of these bugs. Of course 
| had the idea how to fix the bugs but some time to do 
that was needed and for that moment | had no time 
to fix any bug. Instead of that, | had to prepare some 
solution because | needed that server to work and | 
needed it to work correctly. Probably many people can 
say: Of course, fixing the bug is the most appropriate 
solution, after that the server should be ok. Yes, but 
all the applications have bugs and the bugs appear 
progressively. So, let me explain how | used Snort to fix 
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the server. Snort gives me the opportunity to sniff the 
traffic, so | could see the packets and log a message if 
there was an attempt for bug exploitation or | could even 
drop the packet. This is just a small area where Snort 
can be useful. 

Also | would remark the perfect combination of 
NetBSD, its firewall, and Snort, that one can use. This 
combination allows one to use it for a border machines 
where the security is from high importance. | would prefer 
to use it to take the maximum possible protection for my 
network. Let me show you an example with the server 
mentioned before. 3 days after the server started | had 
to analyze the logs and | had totally shocked. The hack 
attempts were sooo many. Actually the server offers 2 
services — SSH and the service of my daemon. There 
were dozens of attempts to login with some usernames 
like melinda,jack, and etc... also | had some attempts 
with the “root” user. Of course, | was prepared for this 
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and | configured Snort to inspect the incoming packets. 
Then | checked the log file from time to time to collect 
new information about the IP addresses that breached 
the line. 

Let's have a look about another situation. | have 
connection to internet, | use pppoe and | see how difficult 
is the life of the ISP of my area. | would advice any internet 
service providers to use Snort. Basically, ISP should 
provides service to all of its customers but there are a lot 
of customers that do not want just to use that service but 
also want to use it for bad things like hacking, stealing 
passwords or some other illegal activity. So, in simple 
words, the ISP has very bad job... The provider also has 
to protect its customers from each other and protect their 
data. Let’s do not forget the threats from the internet and 
if we Summarize all these things together we have the real 
position of the ISP. And | would say that is not that good 
position. From one side the ISP should provide service 
and from the other side this provider should protect the 
customers. 

This is the right place where Snort and NetBSD together 
can fight all of the problems of such ISPs. 


Basically, Snort can be used to detect, stop, and report 
illegal activity and in that case it can make the ISP’s life 
easier. This is just an example how the intrusion detection 
system like Snort can be useful. 

Let’s get Snort to work on our machine (see Listing 1). 

That installed the snort on my system, you should check 
if you need some other packages to be installed, it is 
different for every system, so if the pxg_ aaa program needs 
more packages you should install them as well. 

Then you can focus on your work with snort. Actually 
the work with it is very simple. There is a configuration file 
called snort.conf and several rules files. 

| have the configuration file in /etc/snort.cont and the 
rules are there also. So, all the files are available /etc/ 
snort/ directory. You can use them at any location that you 
want, this is not important. 

To use snort, you will need to perform the following 
steps: 


Step 1. 
In case you don't have pxc rcp scriprs set IN your /etc/ 
mk.conf, COPY 





Listing 3. Example detection log 
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Priority: 0 


KEXAXK*E Seq: Oxl554F25A Ack: OxAL2Z2F3F1 Win 





O27 20— ISP 5s so. (55446 a7 S40 o 2 eee BeeDAs Scope 206s 00 Wentix3G 
OZ Oo ail eK Ono Clea Cr Minot Os. Ux lie 1 2 tolen: 20s Womken:44 
Ox2000 TcpLen 


24 


02) 20- (853250. SOls0 2a S40 eee 2 oe 72 Breas se eyoe: UnCUO enix se 
OZ oe Onto OS 7s oe oly 4 CP ih oe Os x0 sibs 27) S77 hohe +7) bemine mea) 
0x2238 TcpLen 


20 


O27 20-1825 325°" 106326 52254202 123522 — > 8 022i Be: Ass type: 0x800 Ven: 0x2eh 
OZ Ge sO sls 3128 => WO 02215261247 TCP TI so4 TOs 0x0) IDe27313 Tplkene20) Demlenso40 
0x2238 TcpLen 


20 


O2/28-1ee S359 760287 S754 ese 82 0e BE DAR syoe. 0x00 len s0xse 
OAC SO 1 GAZ 8a OP ool 47 ee Pies TOs: 0x0) ID=2 7/874 Tplen=: 20 Dembhen: 40 
0x2238 TcpLen 


Zo 








BSD 


MAGAZINE 


| 


09/2011 





/usr/pkg/share/examples/rc.d/snort to 
/etc/rce.d/snort and add 


snort=YES 


Step 2. 
Now start snort by issuing the command 


(eve; Tre.d/ short Sstact 


We also can run snort on dry without to start it as a 
service. 
Run Snort with the following command: 


snort -c /path-to-your-config-file -de -l1 /path-to-your-log 


-directory 


That will run snort with configuration file at your path- 
to-your-config-file and log directory at /path-to-your-log- 
directory. 

This is some example output that you should see 
Listing 2. 


Snort exiting 

Run time prior to being shutdown was 3.14117 seconds. 
Some example logs. As you can see the logs have 

information about source, destination ports, and other 

basic information about the packet (see Listing 3). 


Summary 

Any type of an operating system can be used for such 
a server but it should be fast, reliable and secure. The 
performance is very important because IDS is a network 
dependent system and as fast as our server process the 
packets as fast will detect an attack. And as fast it detects 
the attack as fast it will alert other systems about the 
situation. So, in order to achieve this goals, we need a big 
iron and a fast operating system. 
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What has your server vendor done for 
BSD lately? Probably, not much. 
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Work with a vendor that supports the 
operating system you love! 
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